projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96
97 #define NUM_SEL_MNT_OPTS 5
98
99 extern struct security_operations *security_ops;
100
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
106
107 static int __init enforcing_setup(char *str)
108 {
109 unsigned long enforcing;
110 if (!strict_strtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0;
112 return 1;
113 }
114 __setup("enforcing=", enforcing_setup);
115 #endif
116
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119
120 static int __init selinux_enabled_setup(char *str)
121 {
122 unsigned long enabled;
123 if (!strict_strtoul(str, 0, &enabled))
124 selinux_enabled = enabled ? 1 : 0;
125 return 1;
126 }
127 __setup("selinux=", selinux_enabled_setup);
128 #else
129 int selinux_enabled = 1;
130 #endif
131
132 static struct kmem_cache *sel_inode_cache;
133
134 /**
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136 *
137 * Description:
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
141 * enabled, false (0) if SECMARK is disabled.
142 *
143 */
144 static int selinux_secmark_enabled(void)
145 {
146 return (atomic_read(&selinux_secmark_refcount) > 0);
147 }
148
149 /*
150 * initialise the security for the init task
151 */
152 static void cred_init_security(void)
153 {
154 struct cred *cred = (struct cred *) current->real_cred;
155 struct task_security_struct *tsec;
156
157 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
158 if (!tsec)
159 panic("SELinux: Failed to initialize initial task.\n");
160
161 tsec->osid = tsec->sid = SECINITSID_KERNEL;
162 cred->security = tsec;
163 }
164
165 /*
166 * get the security ID of a set of credentials
167 */
168 static inline u32 cred_sid(const struct cred *cred)
169 {
170 const struct task_security_struct *tsec;
171
172 tsec = cred->security;
173 return tsec->sid;
174 }
175
176 /*
177 * get the objective security ID of a task
178 */
179 static inline u32 task_sid(const struct task_struct *task)
180 {
181 u32 sid;
182
183 rcu_read_lock();
184 sid = cred_sid(__task_cred(task));
185 rcu_read_unlock();
186 return sid;
187 }
188
189 /*
190 * get the subjective security ID of the current task
191 */
192 static inline u32 current_sid(void)
193 {
194 const struct task_security_struct *tsec = current_security();
195
196 return tsec->sid;
197 }
198
199 /* Allocate and free functions for each kind of security blob. */
200
201 static int inode_alloc_security(struct inode *inode)
202 {
203 struct inode_security_struct *isec;
204 u32 sid = current_sid();
205
206 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
207 if (!isec)
208 return -ENOMEM;
209
210 mutex_init(&isec->lock);
211 INIT_LIST_HEAD(&isec->list);
212 isec->inode = inode;
213 isec->sid = SECINITSID_UNLABELED;
214 isec->sclass = SECCLASS_FILE;
215 isec->task_sid = sid;
216 inode->i_security = isec;
217
218 return 0;
219 }
220
221 static void inode_free_security(struct inode *inode)
222 {
223 struct inode_security_struct *isec = inode->i_security;
224 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
225
226 spin_lock(&sbsec->isec_lock);
227 if (!list_empty(&isec->list))
228 list_del_init(&isec->list);
229 spin_unlock(&sbsec->isec_lock);
230
231 inode->i_security = NULL;
232 kmem_cache_free(sel_inode_cache, isec);
233 }
234
235 static int file_alloc_security(struct file *file)
236 {
237 struct file_security_struct *fsec;
238 u32 sid = current_sid();
239
240 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
241 if (!fsec)
242 return -ENOMEM;
243
244 fsec->sid = sid;
245 fsec->fown_sid = sid;
246 file->f_security = fsec;
247
248 return 0;
249 }
250
251 static void file_free_security(struct file *file)
252 {
253 struct file_security_struct *fsec = file->f_security;
254 file->f_security = NULL;
255 kfree(fsec);
256 }
257
258 static int superblock_alloc_security(struct super_block *sb)
259 {
260 struct superblock_security_struct *sbsec;
261
262 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
263 if (!sbsec)
264 return -ENOMEM;
265
266 mutex_init(&sbsec->lock);
267 INIT_LIST_HEAD(&sbsec->isec_head);
268 spin_lock_init(&sbsec->isec_lock);
269 sbsec->sb = sb;
270 sbsec->sid = SECINITSID_UNLABELED;
271 sbsec->def_sid = SECINITSID_FILE;
272 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
273 sb->s_security = sbsec;
274
275 return 0;
276 }
277
278 static void superblock_free_security(struct super_block *sb)
279 {
280 struct superblock_security_struct *sbsec = sb->s_security;
281 sb->s_security = NULL;
282 kfree(sbsec);
283 }
284
285 /* The file system's label must be initialized prior to use. */
286
287 static const char *labeling_behaviors[6] = {
288 "uses xattr",
289 "uses transition SIDs",
290 "uses task SIDs",
291 "uses genfs_contexts",
292 "not configured for labeling",
293 "uses mountpoint labeling",
294 };
295
296 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
297
298 static inline int inode_doinit(struct inode *inode)
299 {
300 return inode_doinit_with_dentry(inode, NULL);
301 }
302
303 enum {
304 Opt_error = -1,
305 Opt_context = 1,
306 Opt_fscontext = 2,
307 Opt_defcontext = 3,
308 Opt_rootcontext = 4,
309 Opt_labelsupport = 5,
310 };
311
312 static const match_table_t tokens = {
313 {Opt_context, CONTEXT_STR "%s"},
314 {Opt_fscontext, FSCONTEXT_STR "%s"},
315 {Opt_defcontext, DEFCONTEXT_STR "%s"},
316 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
317 {Opt_labelsupport, LABELSUPP_STR},
318 {Opt_error, NULL},
319 };
320
321 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
322
323 static int may_context_mount_sb_relabel(u32 sid,
324 struct superblock_security_struct *sbsec,
325 const struct cred *cred)
326 {
327 const struct task_security_struct *tsec = cred->security;
328 int rc;
329
330 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
331 FILESYSTEM__RELABELFROM, NULL);
332 if (rc)
333 return rc;
334
335 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
336 FILESYSTEM__RELABELTO, NULL);
337 return rc;
338 }
339
340 static int may_context_mount_inode_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
342 const struct cred *cred)
343 {
344 const struct task_security_struct *tsec = cred->security;
345 int rc;
346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELFROM, NULL);
348 if (rc)
349 return rc;
350
351 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__ASSOCIATE, NULL);
353 return rc;
354 }
355
356 static int sb_finish_set_opts(struct super_block *sb)
357 {
358 struct superblock_security_struct *sbsec = sb->s_security;
359 struct dentry *root = sb->s_root;
360 struct inode *root_inode = root->d_inode;
361 int rc = 0;
362
363 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
364 /* Make sure that the xattr handler exists and that no
365 error other than -ENODATA is returned by getxattr on
366 the root directory. -ENODATA is ok, as this may be
367 the first boot of the SELinux kernel before we have
368 assigned xattr values to the filesystem. */
369 if (!root_inode->i_op->getxattr) {
370 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
371 "xattr support\n", sb->s_id, sb->s_type->name);
372 rc = -EOPNOTSUPP;
373 goto out;
374 }
375 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
376 if (rc < 0 && rc != -ENODATA) {
377 if (rc == -EOPNOTSUPP)
378 printk(KERN_WARNING "SELinux: (dev %s, type "
379 "%s) has no security xattr handler\n",
380 sb->s_id, sb->s_type->name);
381 else
382 printk(KERN_WARNING "SELinux: (dev %s, type "
383 "%s) getxattr errno %d\n", sb->s_id,
384 sb->s_type->name, -rc);
385 goto out;
386 }
387 }
388
389 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
390
391 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
392 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
393 sb->s_id, sb->s_type->name);
394 else
395 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
396 sb->s_id, sb->s_type->name,
397 labeling_behaviors[sbsec->behavior-1]);
398
399 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
400 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
401 sbsec->behavior == SECURITY_FS_USE_NONE ||
402 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 sbsec->flags &= ~SE_SBLABELSUPP;
404
405 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
406 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
407 sbsec->flags |= SE_SBLABELSUPP;
408
409 /* Initialize the root inode. */
410 rc = inode_doinit_with_dentry(root_inode, root);
411
412 /* Initialize any other inodes associated with the superblock, e.g.
413 inodes created prior to initial policy load or inodes created
414 during get_sb by a pseudo filesystem that directly
415 populates itself. */
416 spin_lock(&sbsec->isec_lock);
417 next_inode:
418 if (!list_empty(&sbsec->isec_head)) {
419 struct inode_security_struct *isec =
420 list_entry(sbsec->isec_head.next,
421 struct inode_security_struct, list);
422 struct inode *inode = isec->inode;
423 spin_unlock(&sbsec->isec_lock);
424 inode = igrab(inode);
425 if (inode) {
426 if (!IS_PRIVATE(inode))
427 inode_doinit(inode);
428 iput(inode);
429 }
430 spin_lock(&sbsec->isec_lock);
431 list_del_init(&isec->list);
432 goto next_inode;
433 }
434 spin_unlock(&sbsec->isec_lock);
435 out:
436 return rc;
437 }
438
439 /*
440 * This function should allow an FS to ask what it's mount security
441 * options were so it can use those later for submounts, displaying
442 * mount options, or whatever.
443 */
444 static int selinux_get_mnt_opts(const struct super_block *sb,
445 struct security_mnt_opts *opts)
446 {
447 int rc = 0, i;
448 struct superblock_security_struct *sbsec = sb->s_security;
449 char *context = NULL;
450 u32 len;
451 char tmp;
452
453 security_init_mnt_opts(opts);
454
455 if (!(sbsec->flags & SE_SBINITIALIZED))
456 return -EINVAL;
457
458 if (!ss_initialized)
459 return -EINVAL;
460
461 tmp = sbsec->flags & SE_MNTMASK;
462 /* count the number of mount options for this sb */
463 for (i = 0; i < 8; i++) {
464 if (tmp & 0x01)
465 opts->num_mnt_opts++;
466 tmp >>= 1;
467 }
468 /* Check if the Label support flag is set */
469 if (sbsec->flags & SE_SBLABELSUPP)
470 opts->num_mnt_opts++;
471
472 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
473 if (!opts->mnt_opts) {
474 rc = -ENOMEM;
475 goto out_free;
476 }
477
478 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
479 if (!opts->mnt_opts_flags) {
480 rc = -ENOMEM;
481 goto out_free;
482 }
483
484 i = 0;
485 if (sbsec->flags & FSCONTEXT_MNT) {
486 rc = security_sid_to_context(sbsec->sid, &context, &len);
487 if (rc)
488 goto out_free;
489 opts->mnt_opts[i] = context;
490 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
491 }
492 if (sbsec->flags & CONTEXT_MNT) {
493 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
494 if (rc)
495 goto out_free;
496 opts->mnt_opts[i] = context;
497 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
498 }
499 if (sbsec->flags & DEFCONTEXT_MNT) {
500 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
501 if (rc)
502 goto out_free;
503 opts->mnt_opts[i] = context;
504 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
505 }
506 if (sbsec->flags & ROOTCONTEXT_MNT) {
507 struct inode *root = sbsec->sb->s_root->d_inode;
508 struct inode_security_struct *isec = root->i_security;
509
510 rc = security_sid_to_context(isec->sid, &context, &len);
511 if (rc)
512 goto out_free;
513 opts->mnt_opts[i] = context;
514 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
515 }
516 if (sbsec->flags & SE_SBLABELSUPP) {
517 opts->mnt_opts[i] = NULL;
518 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
519 }
520
521 BUG_ON(i != opts->num_mnt_opts);
522
523 return 0;
524
525 out_free:
526 security_free_mnt_opts(opts);
527 return rc;
528 }
529
530 static int bad_option(struct superblock_security_struct *sbsec, char flag,
531 u32 old_sid, u32 new_sid)
532 {
533 char mnt_flags = sbsec->flags & SE_MNTMASK;
534
535 /* check if the old mount command had the same options */
536 if (sbsec->flags & SE_SBINITIALIZED)
537 if (!(sbsec->flags & flag) ||
538 (old_sid != new_sid))
539 return 1;
540
541 /* check if we were passed the same options twice,
542 * aka someone passed context=a,context=b
543 */
544 if (!(sbsec->flags & SE_SBINITIALIZED))
545 if (mnt_flags & flag)
546 return 1;
547 return 0;
548 }
549
550 /*
551 * Allow filesystems with binary mount data to explicitly set mount point
552 * labeling information.
553 */
554 static int selinux_set_mnt_opts(struct super_block *sb,
555 struct security_mnt_opts *opts)
556 {
557 const struct cred *cred = current_cred();
558 int rc = 0, i;
559 struct superblock_security_struct *sbsec = sb->s_security;
560 const char *name = sb->s_type->name;
561 struct inode *inode = sbsec->sb->s_root->d_inode;
562 struct inode_security_struct *root_isec = inode->i_security;
563 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564 u32 defcontext_sid = 0;
565 char **mount_options = opts->mnt_opts;
566 int *flags = opts->mnt_opts_flags;
567 int num_opts = opts->num_mnt_opts;
568
569 mutex_lock(&sbsec->lock);
570
571 if (!ss_initialized) {
572 if (!num_opts) {
573 /* Defer initialization until selinux_complete_init,
574 after the initial policy is loaded and the security
575 server is ready to handle calls. */
576 goto out;
577 }
578 rc = -EINVAL;
579 printk(KERN_WARNING "SELinux: Unable to set superblock options "
580 "before the security server is initialized\n");
581 goto out;
582 }
583
584 /*
585 * Binary mount data FS will come through this function twice. Once
586 * from an explicit call and once from the generic calls from the vfs.
587 * Since the generic VFS calls will not contain any security mount data
588 * we need to skip the double mount verification.
589 *
590 * This does open a hole in which we will not notice if the first
591 * mount using this sb set explict options and a second mount using
592 * this sb does not set any security options. (The first options
593 * will be used for both mounts)
594 */
595 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596 && (num_opts == 0))
597 goto out;
598
599 /*
600 * parse the mount options, check if they are valid sids.
601 * also check if someone is trying to mount the same sb more
602 * than once with different security options.
603 */
604 for (i = 0; i < num_opts; i++) {
605 u32 sid;
606
607 if (flags[i] == SE_SBLABELSUPP)
608 continue;
609 rc = security_context_to_sid(mount_options[i],
610 strlen(mount_options[i]), &sid);
611 if (rc) {
612 printk(KERN_WARNING "SELinux: security_context_to_sid"
613 "(%s) failed for (dev %s, type %s) errno=%d\n",
614 mount_options[i], sb->s_id, name, rc);
615 goto out;
616 }
617 switch (flags[i]) {
618 case FSCONTEXT_MNT:
619 fscontext_sid = sid;
620
621 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
622 fscontext_sid))
623 goto out_double_mount;
624
625 sbsec->flags |= FSCONTEXT_MNT;
626 break;
627 case CONTEXT_MNT:
628 context_sid = sid;
629
630 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
631 context_sid))
632 goto out_double_mount;
633
634 sbsec->flags |= CONTEXT_MNT;
635 break;
636 case ROOTCONTEXT_MNT:
637 rootcontext_sid = sid;
638
639 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
640 rootcontext_sid))
641 goto out_double_mount;
642
643 sbsec->flags |= ROOTCONTEXT_MNT;
644
645 break;
646 case DEFCONTEXT_MNT:
647 defcontext_sid = sid;
648
649 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
650 defcontext_sid))
651 goto out_double_mount;
652
653 sbsec->flags |= DEFCONTEXT_MNT;
654
655 break;
656 default:
657 rc = -EINVAL;
658 goto out;
659 }
660 }
661
662 if (sbsec->flags & SE_SBINITIALIZED) {
663 /* previously mounted with options, but not on this attempt? */
664 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
665 goto out_double_mount;
666 rc = 0;
667 goto out;
668 }
669
670 if (strcmp(sb->s_type->name, "proc") == 0)
671 sbsec->flags |= SE_SBPROC;
672
673 /* Determine the labeling behavior to use for this filesystem type. */
674 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
675 if (rc) {
676 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
677 __func__, sb->s_type->name, rc);
678 goto out;
679 }
680
681 /* sets the context of the superblock for the fs being mounted. */
682 if (fscontext_sid) {
683 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
684 if (rc)
685 goto out;
686
687 sbsec->sid = fscontext_sid;
688 }
689
690 /*
691 * Switch to using mount point labeling behavior.
692 * sets the label used on all file below the mountpoint, and will set
693 * the superblock context if not already set.
694 */
695 if (context_sid) {
696 if (!fscontext_sid) {
697 rc = may_context_mount_sb_relabel(context_sid, sbsec,
698 cred);
699 if (rc)
700 goto out;
701 sbsec->sid = context_sid;
702 } else {
703 rc = may_context_mount_inode_relabel(context_sid, sbsec,
704 cred);
705 if (rc)
706 goto out;
707 }
708 if (!rootcontext_sid)
709 rootcontext_sid = context_sid;
710
711 sbsec->mntpoint_sid = context_sid;
712 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
713 }
714
715 if (rootcontext_sid) {
716 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
717 cred);
718 if (rc)
719 goto out;
720
721 root_isec->sid = rootcontext_sid;
722 root_isec->initialized = 1;
723 }
724
725 if (defcontext_sid) {
726 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
727 rc = -EINVAL;
728 printk(KERN_WARNING "SELinux: defcontext option is "
729 "invalid for this filesystem type\n");
730 goto out;
731 }
732
733 if (defcontext_sid != sbsec->def_sid) {
734 rc = may_context_mount_inode_relabel(defcontext_sid,
735 sbsec, cred);
736 if (rc)
737 goto out;
738 }
739
740 sbsec->def_sid = defcontext_sid;
741 }
742
743 rc = sb_finish_set_opts(sb);
744 out:
745 mutex_unlock(&sbsec->lock);
746 return rc;
747 out_double_mount:
748 rc = -EINVAL;
749 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
750 "security settings for (dev %s, type %s)\n", sb->s_id, name);
751 goto out;
752 }
753
754 static int selinux_cmp_sb_context(const struct super_block *oldsb,
755 const struct super_block *newsb)
756 {
757 struct superblock_security_struct *old = oldsb->s_security;
758 struct superblock_security_struct *new = newsb->s_security;
759 char oldflags = old->flags & SE_MNTMASK;
760 char newflags = new->flags & SE_MNTMASK;
761
762 if (oldflags != newflags)
763 goto mismatch;
764 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
765 goto mismatch;
766 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
767 goto mismatch;
768 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
769 goto mismatch;
770 if (oldflags & ROOTCONTEXT_MNT) {
771 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
772 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
773 if (oldroot->sid != newroot->sid)
774 goto mismatch;
775 }
776 return 0;
777 mismatch:
778 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
779 "different security settings for (dev %s, "
780 "type %s)\n", newsb->s_id, newsb->s_type->name);
781 return -EBUSY;
782 }
783
784 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
785 struct super_block *newsb)
786 {
787 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
788 struct superblock_security_struct *newsbsec = newsb->s_security;
789
790 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
791 int set_context = (oldsbsec->flags & CONTEXT_MNT);
792 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
793
794 /*
795 * if the parent was able to be mounted it clearly had no special lsm
796 * mount options. thus we can safely deal with this superblock later
797 */
798 if (!ss_initialized)
799 return 0;
800
801 /* how can we clone if the old one wasn't set up?? */
802 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
803
804 /* if fs is reusing a sb, make sure that the contexts match */
805 if (newsbsec->flags & SE_SBINITIALIZED)
806 return selinux_cmp_sb_context(oldsb, newsb);
807
808 mutex_lock(&newsbsec->lock);
809
810 newsbsec->flags = oldsbsec->flags;
811
812 newsbsec->sid = oldsbsec->sid;
813 newsbsec->def_sid = oldsbsec->def_sid;
814 newsbsec->behavior = oldsbsec->behavior;
815
816 if (set_context) {
817 u32 sid = oldsbsec->mntpoint_sid;
818
819 if (!set_fscontext)
820 newsbsec->sid = sid;
821 if (!set_rootcontext) {
822 struct inode *newinode = newsb->s_root->d_inode;
823 struct inode_security_struct *newisec = newinode->i_security;
824 newisec->sid = sid;
825 }
826 newsbsec->mntpoint_sid = sid;
827 }
828 if (set_rootcontext) {
829 const struct inode *oldinode = oldsb->s_root->d_inode;
830 const struct inode_security_struct *oldisec = oldinode->i_security;
831 struct inode *newinode = newsb->s_root->d_inode;
832 struct inode_security_struct *newisec = newinode->i_security;
833
834 newisec->sid = oldisec->sid;
835 }
836
837 sb_finish_set_opts(newsb);
838 mutex_unlock(&newsbsec->lock);
839 return 0;
840 }
841
842 static int selinux_parse_opts_str(char *options,
843 struct security_mnt_opts *opts)
844 {
845 char *p;
846 char *context = NULL, *defcontext = NULL;
847 char *fscontext = NULL, *rootcontext = NULL;
848 int rc, num_mnt_opts = 0;
849
850 opts->num_mnt_opts = 0;
851
852 /* Standard string-based options. */
853 while ((p = strsep(&options, "|")) != NULL) {
854 int token;
855 substring_t args[MAX_OPT_ARGS];
856
857 if (!*p)
858 continue;
859
860 token = match_token(p, tokens, args);
861
862 switch (token) {
863 case Opt_context:
864 if (context || defcontext) {
865 rc = -EINVAL;
866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867 goto out_err;
868 }
869 context = match_strdup(&args[0]);
870 if (!context) {
871 rc = -ENOMEM;
872 goto out_err;
873 }
874 break;
875
876 case Opt_fscontext:
877 if (fscontext) {
878 rc = -EINVAL;
879 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
880 goto out_err;
881 }
882 fscontext = match_strdup(&args[0]);
883 if (!fscontext) {
884 rc = -ENOMEM;
885 goto out_err;
886 }
887 break;
888
889 case Opt_rootcontext:
890 if (rootcontext) {
891 rc = -EINVAL;
892 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
893 goto out_err;
894 }
895 rootcontext = match_strdup(&args[0]);
896 if (!rootcontext) {
897 rc = -ENOMEM;
898 goto out_err;
899 }
900 break;
901
902 case Opt_defcontext:
903 if (context || defcontext) {
904 rc = -EINVAL;
905 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
906 goto out_err;
907 }
908 defcontext = match_strdup(&args[0]);
909 if (!defcontext) {
910 rc = -ENOMEM;
911 goto out_err;
912 }
913 break;
914 case Opt_labelsupport:
915 break;
916 default:
917 rc = -EINVAL;
918 printk(KERN_WARNING "SELinux: unknown mount option\n");
919 goto out_err;
920
921 }
922 }
923
924 rc = -ENOMEM;
925 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
926 if (!opts->mnt_opts)
927 goto out_err;
928
929 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
930 if (!opts->mnt_opts_flags) {
931 kfree(opts->mnt_opts);
932 goto out_err;
933 }
934
935 if (fscontext) {
936 opts->mnt_opts[num_mnt_opts] = fscontext;
937 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
938 }
939 if (context) {
940 opts->mnt_opts[num_mnt_opts] = context;
941 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
942 }
943 if (rootcontext) {
944 opts->mnt_opts[num_mnt_opts] = rootcontext;
945 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
946 }
947 if (defcontext) {
948 opts->mnt_opts[num_mnt_opts] = defcontext;
949 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
950 }
951
952 opts->num_mnt_opts = num_mnt_opts;
953 return 0;
954
955 out_err:
956 kfree(context);
957 kfree(defcontext);
958 kfree(fscontext);
959 kfree(rootcontext);
960 return rc;
961 }
962 /*
963 * string mount options parsing and call set the sbsec
964 */
965 static int superblock_doinit(struct super_block *sb, void *data)
966 {
967 int rc = 0;
968 char *options = data;
969 struct security_mnt_opts opts;
970
971 security_init_mnt_opts(&opts);
972
973 if (!data)
974 goto out;
975
976 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
977
978 rc = selinux_parse_opts_str(options, &opts);
979 if (rc)
980 goto out_err;
981
982 out:
983 rc = selinux_set_mnt_opts(sb, &opts);
984
985 out_err:
986 security_free_mnt_opts(&opts);
987 return rc;
988 }
989
990 static void selinux_write_opts(struct seq_file *m,
991 struct security_mnt_opts *opts)
992 {
993 int i;
994 char *prefix;
995
996 for (i = 0; i < opts->num_mnt_opts; i++) {
997 char *has_comma;
998
999 if (opts->mnt_opts[i])
1000 has_comma = strchr(opts->mnt_opts[i], ',');
1001 else
1002 has_comma = NULL;
1003
1004 switch (opts->mnt_opts_flags[i]) {
1005 case CONTEXT_MNT:
1006 prefix = CONTEXT_STR;
1007 break;
1008 case FSCONTEXT_MNT:
1009 prefix = FSCONTEXT_STR;
1010 break;
1011 case ROOTCONTEXT_MNT:
1012 prefix = ROOTCONTEXT_STR;
1013 break;
1014 case DEFCONTEXT_MNT:
1015 prefix = DEFCONTEXT_STR;
1016 break;
1017 case SE_SBLABELSUPP:
1018 seq_putc(m, ',');
1019 seq_puts(m, LABELSUPP_STR);
1020 continue;
1021 default:
1022 BUG();
1023 return;
1024 };
1025 /* we need a comma before each option */
1026 seq_putc(m, ',');
1027 seq_puts(m, prefix);
1028 if (has_comma)
1029 seq_putc(m, '\"');
1030 seq_puts(m, opts->mnt_opts[i]);
1031 if (has_comma)
1032 seq_putc(m, '\"');
1033 }
1034 }
1035
1036 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1037 {
1038 struct security_mnt_opts opts;
1039 int rc;
1040
1041 rc = selinux_get_mnt_opts(sb, &opts);
1042 if (rc) {
1043 /* before policy load we may get EINVAL, don't show anything */
1044 if (rc == -EINVAL)
1045 rc = 0;
1046 return rc;
1047 }
1048
1049 selinux_write_opts(m, &opts);
1050
1051 security_free_mnt_opts(&opts);
1052
1053 return rc;
1054 }
1055
1056 static inline u16 inode_mode_to_security_class(umode_t mode)
1057 {
1058 switch (mode & S_IFMT) {
1059 case S_IFSOCK:
1060 return SECCLASS_SOCK_FILE;
1061 case S_IFLNK:
1062 return SECCLASS_LNK_FILE;
1063 case S_IFREG:
1064 return SECCLASS_FILE;
1065 case S_IFBLK:
1066 return SECCLASS_BLK_FILE;
1067 case S_IFDIR:
1068 return SECCLASS_DIR;
1069 case S_IFCHR:
1070 return SECCLASS_CHR_FILE;
1071 case S_IFIFO:
1072 return SECCLASS_FIFO_FILE;
1073
1074 }
1075
1076 return SECCLASS_FILE;
1077 }
1078
1079 static inline int default_protocol_stream(int protocol)
1080 {
1081 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1082 }
1083
1084 static inline int default_protocol_dgram(int protocol)
1085 {
1086 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1087 }
1088
1089 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1090 {
1091 switch (family) {
1092 case PF_UNIX:
1093 switch (type) {
1094 case SOCK_STREAM:
1095 case SOCK_SEQPACKET:
1096 return SECCLASS_UNIX_STREAM_SOCKET;
1097 case SOCK_DGRAM:
1098 return SECCLASS_UNIX_DGRAM_SOCKET;
1099 }
1100 break;
1101 case PF_INET:
1102 case PF_INET6:
1103 switch (type) {
1104 case SOCK_STREAM:
1105 if (default_protocol_stream(protocol))
1106 return SECCLASS_TCP_SOCKET;
1107 else
1108 return SECCLASS_RAWIP_SOCKET;
1109 case SOCK_DGRAM:
1110 if (default_protocol_dgram(protocol))
1111 return SECCLASS_UDP_SOCKET;
1112 else
1113 return SECCLASS_RAWIP_SOCKET;
1114 case SOCK_DCCP:
1115 return SECCLASS_DCCP_SOCKET;
1116 default:
1117 return SECCLASS_RAWIP_SOCKET;
1118 }
1119 break;
1120 case PF_NETLINK:
1121 switch (protocol) {
1122 case NETLINK_ROUTE:
1123 return SECCLASS_NETLINK_ROUTE_SOCKET;
1124 case NETLINK_FIREWALL:
1125 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1126 case NETLINK_SOCK_DIAG:
1127 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1128 case NETLINK_NFLOG:
1129 return SECCLASS_NETLINK_NFLOG_SOCKET;
1130 case NETLINK_XFRM:
1131 return SECCLASS_NETLINK_XFRM_SOCKET;
1132 case NETLINK_SELINUX:
1133 return SECCLASS_NETLINK_SELINUX_SOCKET;
1134 case NETLINK_AUDIT:
1135 return SECCLASS_NETLINK_AUDIT_SOCKET;
1136 case NETLINK_IP6_FW:
1137 return SECCLASS_NETLINK_IP6FW_SOCKET;
1138 case NETLINK_DNRTMSG:
1139 return SECCLASS_NETLINK_DNRT_SOCKET;
1140 case NETLINK_KOBJECT_UEVENT:
1141 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1142 default:
1143 return SECCLASS_NETLINK_SOCKET;
1144 }
1145 case PF_PACKET:
1146 return SECCLASS_PACKET_SOCKET;
1147 case PF_KEY:
1148 return SECCLASS_KEY_SOCKET;
1149 case PF_APPLETALK:
1150 return SECCLASS_APPLETALK_SOCKET;
1151 }
1152
1153 return SECCLASS_SOCKET;
1154 }
1155
1156 #ifdef CONFIG_PROC_FS
1157 static int selinux_proc_get_sid(struct dentry *dentry,
1158 u16 tclass,
1159 u32 *sid)
1160 {
1161 int rc;
1162 char *buffer, *path;
1163
1164 buffer = (char *)__get_free_page(GFP_KERNEL);
1165 if (!buffer)
1166 return -ENOMEM;
1167
1168 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1169 if (IS_ERR(path))
1170 rc = PTR_ERR(path);
1171 else {
1172 /* each process gets a /proc/PID/ entry. Strip off the
1173 * PID part to get a valid selinux labeling.
1174 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1175 while (path[1] >= '0' && path[1] <= '9') {
1176 path[1] = '/';
1177 path++;
1178 }
1179 rc = security_genfs_sid("proc", path, tclass, sid);
1180 }
1181 free_page((unsigned long)buffer);
1182 return rc;
1183 }
1184 #else
1185 static int selinux_proc_get_sid(struct dentry *dentry,
1186 u16 tclass,
1187 u32 *sid)
1188 {
1189 return -EINVAL;
1190 }
1191 #endif
1192
1193 /* The inode's security attributes must be initialized before first use. */
1194 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1195 {
1196 struct superblock_security_struct *sbsec = NULL;
1197 struct inode_security_struct *isec = inode->i_security;
1198 u32 sid;
1199 struct dentry *dentry;
1200 #define INITCONTEXTLEN 255
1201 char *context = NULL;
1202 unsigned len = 0;
1203 int rc = 0;
1204
1205 if (isec->initialized)
1206 goto out;
1207
1208 mutex_lock(&isec->lock);
1209 if (isec->initialized)
1210 goto out_unlock;
1211
1212 sbsec = inode->i_sb->s_security;
1213 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1214 /* Defer initialization until selinux_complete_init,
1215 after the initial policy is loaded and the security
1216 server is ready to handle calls. */
1217 spin_lock(&sbsec->isec_lock);
1218 if (list_empty(&isec->list))
1219 list_add(&isec->list, &sbsec->isec_head);
1220 spin_unlock(&sbsec->isec_lock);
1221 goto out_unlock;
1222 }
1223
1224 switch (sbsec->behavior) {
1225 case SECURITY_FS_USE_XATTR:
1226 if (!inode->i_op->getxattr) {
1227 isec->sid = sbsec->def_sid;
1228 break;
1229 }
1230
1231 /* Need a dentry, since the xattr API requires one.
1232 Life would be simpler if we could just pass the inode. */
1233 if (opt_dentry) {
1234 /* Called from d_instantiate or d_splice_alias. */
1235 dentry = dget(opt_dentry);
1236 } else {
1237 /* Called from selinux_complete_init, try to find a dentry. */
1238 dentry = d_find_alias(inode);
1239 }
1240 if (!dentry) {
1241 /*
1242 * this is can be hit on boot when a file is accessed
1243 * before the policy is loaded. When we load policy we
1244 * may find inodes that have no dentry on the
1245 * sbsec->isec_head list. No reason to complain as these
1246 * will get fixed up the next time we go through
1247 * inode_doinit with a dentry, before these inodes could
1248 * be used again by userspace.
1249 */
1250 goto out_unlock;
1251 }
1252
1253 len = INITCONTEXTLEN;
1254 context = kmalloc(len+1, GFP_NOFS);
1255 if (!context) {
1256 rc = -ENOMEM;
1257 dput(dentry);
1258 goto out_unlock;
1259 }
1260 context[len] = '\0';
1261 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1262 context, len);
1263 if (rc == -ERANGE) {
1264 kfree(context);
1265
1266 /* Need a larger buffer. Query for the right size. */
1267 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1268 NULL, 0);
1269 if (rc < 0) {
1270 dput(dentry);
1271 goto out_unlock;
1272 }
1273 len = rc;
1274 context = kmalloc(len+1, GFP_NOFS);
1275 if (!context) {
1276 rc = -ENOMEM;
1277 dput(dentry);
1278 goto out_unlock;
1279 }
1280 context[len] = '\0';
1281 rc = inode->i_op->getxattr(dentry,
1282 XATTR_NAME_SELINUX,
1283 context, len);
1284 }
1285 dput(dentry);
1286 if (rc < 0) {
1287 if (rc != -ENODATA) {
1288 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1289 "%d for dev=%s ino=%ld\n", __func__,
1290 -rc, inode->i_sb->s_id, inode->i_ino);
1291 kfree(context);
1292 goto out_unlock;
1293 }
1294 /* Map ENODATA to the default file SID */
1295 sid = sbsec->def_sid;
1296 rc = 0;
1297 } else {
1298 rc = security_context_to_sid_default(context, rc, &sid,
1299 sbsec->def_sid,
1300 GFP_NOFS);
1301 if (rc) {
1302 char *dev = inode->i_sb->s_id;
1303 unsigned long ino = inode->i_ino;
1304
1305 if (rc == -EINVAL) {
1306 if (printk_ratelimit())
1307 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1308 "context=%s. This indicates you may need to relabel the inode or the "
1309 "filesystem in question.\n", ino, dev, context);
1310 } else {
1311 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1312 "returned %d for dev=%s ino=%ld\n",
1313 __func__, context, -rc, dev, ino);
1314 }
1315 kfree(context);
1316 /* Leave with the unlabeled SID */
1317 rc = 0;
1318 break;
1319 }
1320 }
1321 kfree(context);
1322 isec->sid = sid;
1323 break;
1324 case SECURITY_FS_USE_TASK:
1325 isec->sid = isec->task_sid;
1326 break;
1327 case SECURITY_FS_USE_TRANS:
1328 /* Default to the fs SID. */
1329 isec->sid = sbsec->sid;
1330
1331 /* Try to obtain a transition SID. */
1332 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1334 isec->sclass, NULL, &sid);
1335 if (rc)
1336 goto out_unlock;
1337 isec->sid = sid;
1338 break;
1339 case SECURITY_FS_USE_MNTPOINT:
1340 isec->sid = sbsec->mntpoint_sid;
1341 break;
1342 default:
1343 /* Default to the fs superblock SID. */
1344 isec->sid = sbsec->sid;
1345
1346 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1347 if (opt_dentry) {
1348 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1349 rc = selinux_proc_get_sid(opt_dentry,
1350 isec->sclass,
1351 &sid);
1352 if (rc)
1353 goto out_unlock;
1354 isec->sid = sid;
1355 }
1356 }
1357 break;
1358 }
1359
1360 isec->initialized = 1;
1361
1362 out_unlock:
1363 mutex_unlock(&isec->lock);
1364 out:
1365 if (isec->sclass == SECCLASS_FILE)
1366 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1367 return rc;
1368 }
1369
1370 /* Convert a Linux signal to an access vector. */
1371 static inline u32 signal_to_av(int sig)
1372 {
1373 u32 perm = 0;
1374
1375 switch (sig) {
1376 case SIGCHLD:
1377 /* Commonly granted from child to parent. */
1378 perm = PROCESS__SIGCHLD;
1379 break;
1380 case SIGKILL:
1381 /* Cannot be caught or ignored */
1382 perm = PROCESS__SIGKILL;
1383 break;
1384 case SIGSTOP:
1385 /* Cannot be caught or ignored */
1386 perm = PROCESS__SIGSTOP;
1387 break;
1388 default:
1389 /* All other signals. */
1390 perm = PROCESS__SIGNAL;
1391 break;
1392 }
1393
1394 return perm;
1395 }
1396
1397 /*
1398 * Check permission between a pair of credentials
1399 * fork check, ptrace check, etc.
1400 */
1401 static int cred_has_perm(const struct cred *actor,
1402 const struct cred *target,
1403 u32 perms)
1404 {
1405 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1406
1407 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1408 }
1409
1410 /*
1411 * Check permission between a pair of tasks, e.g. signal checks,
1412 * fork check, ptrace check, etc.
1413 * tsk1 is the actor and tsk2 is the target
1414 * - this uses the default subjective creds of tsk1
1415 */
1416 static int task_has_perm(const struct task_struct *tsk1,
1417 const struct task_struct *tsk2,
1418 u32 perms)
1419 {
1420 const struct task_security_struct *__tsec1, *__tsec2;
1421 u32 sid1, sid2;
1422
1423 rcu_read_lock();
1424 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1425 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1426 rcu_read_unlock();
1427 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1428 }
1429
1430 /*
1431 * Check permission between current and another task, e.g. signal checks,
1432 * fork check, ptrace check, etc.
1433 * current is the actor and tsk2 is the target
1434 * - this uses current's subjective creds
1435 */
1436 static int current_has_perm(const struct task_struct *tsk,
1437 u32 perms)
1438 {
1439 u32 sid, tsid;
1440
1441 sid = current_sid();
1442 tsid = task_sid(tsk);
1443 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1444 }
1445
1446 #if CAP_LAST_CAP > 63
1447 #error Fix SELinux to handle capabilities > 63.
1448 #endif
1449
1450 /* Check whether a task is allowed to use a capability. */
1451 static int cred_has_capability(const struct cred *cred,
1452 int cap, int audit)
1453 {
1454 struct common_audit_data ad;
1455 struct av_decision avd;
1456 u16 sclass;
1457 u32 sid = cred_sid(cred);
1458 u32 av = CAP_TO_MASK(cap);
1459 int rc;
1460
1461 ad.type = LSM_AUDIT_DATA_CAP;
1462 ad.u.cap = cap;
1463
1464 switch (CAP_TO_INDEX(cap)) {
1465 case 0:
1466 sclass = SECCLASS_CAPABILITY;
1467 break;
1468 case 1:
1469 sclass = SECCLASS_CAPABILITY2;
1470 break;
1471 default:
1472 printk(KERN_ERR
1473 "SELinux: out of range capability %d\n", cap);
1474 BUG();
1475 return -EINVAL;
1476 }
1477
1478 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1479 if (audit == SECURITY_CAP_AUDIT) {
1480 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1481 if (rc2)
1482 return rc2;
1483 }
1484 return rc;
1485 }
1486
1487 /* Check whether a task is allowed to use a system operation. */
1488 static int task_has_system(struct task_struct *tsk,
1489 u32 perms)
1490 {
1491 u32 sid = task_sid(tsk);
1492
1493 return avc_has_perm(sid, SECINITSID_KERNEL,
1494 SECCLASS_SYSTEM, perms, NULL);
1495 }
1496
1497 /* Check whether a task has a particular permission to an inode.
1498 The 'adp' parameter is optional and allows other audit
1499 data to be passed (e.g. the dentry). */
1500 static int inode_has_perm(const struct cred *cred,
1501 struct inode *inode,
1502 u32 perms,
1503 struct common_audit_data *adp,
1504 unsigned flags)
1505 {
1506 struct inode_security_struct *isec;
1507 u32 sid;
1508
1509 validate_creds(cred);
1510
1511 if (unlikely(IS_PRIVATE(inode)))
1512 return 0;
1513
1514 sid = cred_sid(cred);
1515 isec = inode->i_security;
1516
1517 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1518 }
1519
1520 /* Same as inode_has_perm, but pass explicit audit data containing
1521 the dentry to help the auditing code to more easily generate the
1522 pathname if needed. */
1523 static inline int dentry_has_perm(const struct cred *cred,
1524 struct dentry *dentry,
1525 u32 av)
1526 {
1527 struct inode *inode = dentry->d_inode;
1528 struct common_audit_data ad;
1529
1530 ad.type = LSM_AUDIT_DATA_DENTRY;
1531 ad.u.dentry = dentry;
1532 return inode_has_perm(cred, inode, av, &ad, 0);
1533 }
1534
1535 /* Same as inode_has_perm, but pass explicit audit data containing
1536 the path to help the auditing code to more easily generate the
1537 pathname if needed. */
1538 static inline int path_has_perm(const struct cred *cred,
1539 struct path *path,
1540 u32 av)
1541 {
1542 struct inode *inode = path->dentry->d_inode;
1543 struct common_audit_data ad;
1544
1545 ad.type = LSM_AUDIT_DATA_PATH;
1546 ad.u.path = *path;
1547 return inode_has_perm(cred, inode, av, &ad, 0);
1548 }
1549
1550 /* Check whether a task can use an open file descriptor to
1551 access an inode in a given way. Check access to the
1552 descriptor itself, and then use dentry_has_perm to
1553 check a particular permission to the file.
1554 Access to the descriptor is implicitly granted if it
1555 has the same SID as the process. If av is zero, then
1556 access to the file is not checked, e.g. for cases
1557 where only the descriptor is affected like seek. */
1558 static int file_has_perm(const struct cred *cred,
1559 struct file *file,
1560 u32 av)
1561 {
1562 struct file_security_struct *fsec = file->f_security;
1563 struct inode *inode = file_inode(file);
1564 struct common_audit_data ad;
1565 u32 sid = cred_sid(cred);
1566 int rc;
1567
1568 ad.type = LSM_AUDIT_DATA_PATH;
1569 ad.u.path = file->f_path;
1570
1571 if (sid != fsec->sid) {
1572 rc = avc_has_perm(sid, fsec->sid,
1573 SECCLASS_FD,
1574 FD__USE,
1575 &ad);
1576 if (rc)
1577 goto out;
1578 }
1579
1580 /* av is zero if only checking access to the descriptor. */
1581 rc = 0;
1582 if (av)
1583 rc = inode_has_perm(cred, inode, av, &ad, 0);
1584
1585 out:
1586 return rc;
1587 }
1588
1589 /* Check whether a task can create a file. */
1590 static int may_create(struct inode *dir,
1591 struct dentry *dentry,
1592 u16 tclass)
1593 {
1594 const struct task_security_struct *tsec = current_security();
1595 struct inode_security_struct *dsec;
1596 struct superblock_security_struct *sbsec;
1597 u32 sid, newsid;
1598 struct common_audit_data ad;
1599 int rc;
1600
1601 dsec = dir->i_security;
1602 sbsec = dir->i_sb->s_security;
1603
1604 sid = tsec->sid;
1605 newsid = tsec->create_sid;
1606
1607 ad.type = LSM_AUDIT_DATA_DENTRY;
1608 ad.u.dentry = dentry;
1609
1610 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1611 DIR__ADD_NAME | DIR__SEARCH,
1612 &ad);
1613 if (rc)
1614 return rc;
1615
1616 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1617 rc = security_transition_sid(sid, dsec->sid, tclass,
1618 &dentry->d_name, &newsid);
1619 if (rc)
1620 return rc;
1621 }
1622
1623 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1624 if (rc)
1625 return rc;
1626
1627 return avc_has_perm(newsid, sbsec->sid,
1628 SECCLASS_FILESYSTEM,
1629 FILESYSTEM__ASSOCIATE, &ad);
1630 }
1631
1632 /* Check whether a task can create a key. */
1633 static int may_create_key(u32 ksid,
1634 struct task_struct *ctx)
1635 {
1636 u32 sid = task_sid(ctx);
1637
1638 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1639 }
1640
1641 #define MAY_LINK 0
1642 #define MAY_UNLINK 1
1643 #define MAY_RMDIR 2
1644
1645 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1646 static int may_link(struct inode *dir,
1647 struct dentry *dentry,
1648 int kind)
1649
1650 {
1651 struct inode_security_struct *dsec, *isec;
1652 struct common_audit_data ad;
1653 u32 sid = current_sid();
1654 u32 av;
1655 int rc;
1656
1657 dsec = dir->i_security;
1658 isec = dentry->d_inode->i_security;
1659
1660 ad.type = LSM_AUDIT_DATA_DENTRY;
1661 ad.u.dentry = dentry;
1662
1663 av = DIR__SEARCH;
1664 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1665 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1666 if (rc)
1667 return rc;
1668
1669 switch (kind) {
1670 case MAY_LINK:
1671 av = FILE__LINK;
1672 break;
1673 case MAY_UNLINK:
1674 av = FILE__UNLINK;
1675 break;
1676 case MAY_RMDIR:
1677 av = DIR__RMDIR;
1678 break;
1679 default:
1680 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1681 __func__, kind);
1682 return 0;
1683 }
1684
1685 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1686 return rc;
1687 }
1688
1689 static inline int may_rename(struct inode *old_dir,
1690 struct dentry *old_dentry,
1691 struct inode *new_dir,
1692 struct dentry *new_dentry)
1693 {
1694 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1695 struct common_audit_data ad;
1696 u32 sid = current_sid();
1697 u32 av;
1698 int old_is_dir, new_is_dir;
1699 int rc;
1700
1701 old_dsec = old_dir->i_security;
1702 old_isec = old_dentry->d_inode->i_security;
1703 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1704 new_dsec = new_dir->i_security;
1705
1706 ad.type = LSM_AUDIT_DATA_DENTRY;
1707
1708 ad.u.dentry = old_dentry;
1709 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1710 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1711 if (rc)
1712 return rc;
1713 rc = avc_has_perm(sid, old_isec->sid,
1714 old_isec->sclass, FILE__RENAME, &ad);
1715 if (rc)
1716 return rc;
1717 if (old_is_dir && new_dir != old_dir) {
1718 rc = avc_has_perm(sid, old_isec->sid,
1719 old_isec->sclass, DIR__REPARENT, &ad);
1720 if (rc)
1721 return rc;
1722 }
1723
1724 ad.u.dentry = new_dentry;
1725 av = DIR__ADD_NAME | DIR__SEARCH;
1726 if (new_dentry->d_inode)
1727 av |= DIR__REMOVE_NAME;
1728 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1729 if (rc)
1730 return rc;
1731 if (new_dentry->d_inode) {
1732 new_isec = new_dentry->d_inode->i_security;
1733 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1734 rc = avc_has_perm(sid, new_isec->sid,
1735 new_isec->sclass,
1736 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1737 if (rc)
1738 return rc;
1739 }
1740
1741 return 0;
1742 }
1743
1744 /* Check whether a task can perform a filesystem operation. */
1745 static int superblock_has_perm(const struct cred *cred,
1746 struct super_block *sb,
1747 u32 perms,
1748 struct common_audit_data *ad)
1749 {
1750 struct superblock_security_struct *sbsec;
1751 u32 sid = cred_sid(cred);
1752
1753 sbsec = sb->s_security;
1754 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1755 }
1756
1757 /* Convert a Linux mode and permission mask to an access vector. */
1758 static inline u32 file_mask_to_av(int mode, int mask)
1759 {
1760 u32 av = 0;
1761
1762 if (!S_ISDIR(mode)) {
1763 if (mask & MAY_EXEC)
1764 av |= FILE__EXECUTE;
1765 if (mask & MAY_READ)
1766 av |= FILE__READ;
1767
1768 if (mask & MAY_APPEND)
1769 av |= FILE__APPEND;
1770 else if (mask & MAY_WRITE)
1771 av |= FILE__WRITE;
1772
1773 } else {
1774 if (mask & MAY_EXEC)
1775 av |= DIR__SEARCH;
1776 if (mask & MAY_WRITE)
1777 av |= DIR__WRITE;
1778 if (mask & MAY_READ)
1779 av |= DIR__READ;
1780 }
1781
1782 return av;
1783 }
1784
1785 /* Convert a Linux file to an access vector. */
1786 static inline u32 file_to_av(struct file *file)
1787 {
1788 u32 av = 0;
1789
1790 if (file->f_mode & FMODE_READ)
1791 av |= FILE__READ;
1792 if (file->f_mode & FMODE_WRITE) {
1793 if (file->f_flags & O_APPEND)
1794 av |= FILE__APPEND;
1795 else
1796 av |= FILE__WRITE;
1797 }
1798 if (!av) {
1799 /*
1800 * Special file opened with flags 3 for ioctl-only use.
1801 */
1802 av = FILE__IOCTL;
1803 }
1804
1805 return av;
1806 }
1807
1808 /*
1809 * Convert a file to an access vector and include the correct open
1810 * open permission.
1811 */
1812 static inline u32 open_file_to_av(struct file *file)
1813 {
1814 u32 av = file_to_av(file);
1815
1816 if (selinux_policycap_openperm)
1817 av |= FILE__OPEN;
1818
1819 return av;
1820 }
1821
1822 /* Hook functions begin here. */
1823
1824 static int selinux_ptrace_access_check(struct task_struct *child,
1825 unsigned int mode)
1826 {
1827 int rc;
1828
1829 rc = cap_ptrace_access_check(child, mode);
1830 if (rc)
1831 return rc;
1832
1833 if (mode & PTRACE_MODE_READ) {
1834 u32 sid = current_sid();
1835 u32 csid = task_sid(child);
1836 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1837 }
1838
1839 return current_has_perm(child, PROCESS__PTRACE);
1840 }
1841
1842 static int selinux_ptrace_traceme(struct task_struct *parent)
1843 {
1844 int rc;
1845
1846 rc = cap_ptrace_traceme(parent);
1847 if (rc)
1848 return rc;
1849
1850 return task_has_perm(parent, current, PROCESS__PTRACE);
1851 }
1852
1853 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1854 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1855 {
1856 int error;
1857
1858 error = current_has_perm(target, PROCESS__GETCAP);
1859 if (error)
1860 return error;
1861
1862 return cap_capget(target, effective, inheritable, permitted);
1863 }
1864
1865 static int selinux_capset(struct cred *new, const struct cred *old,
1866 const kernel_cap_t *effective,
1867 const kernel_cap_t *inheritable,
1868 const kernel_cap_t *permitted)
1869 {
1870 int error;
1871
1872 error = cap_capset(new, old,
1873 effective, inheritable, permitted);
1874 if (error)
1875 return error;
1876
1877 return cred_has_perm(old, new, PROCESS__SETCAP);
1878 }
1879
1880 /*
1881 * (This comment used to live with the selinux_task_setuid hook,
1882 * which was removed).
1883 *
1884 * Since setuid only affects the current process, and since the SELinux
1885 * controls are not based on the Linux identity attributes, SELinux does not
1886 * need to control this operation. However, SELinux does control the use of
1887 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1888 */
1889
1890 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1891 int cap, int audit)
1892 {
1893 int rc;
1894
1895 rc = cap_capable(cred, ns, cap, audit);
1896 if (rc)
1897 return rc;
1898
1899 return cred_has_capability(cred, cap, audit);
1900 }
1901
1902 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1903 {
1904 const struct cred *cred = current_cred();
1905 int rc = 0;
1906
1907 if (!sb)
1908 return 0;
1909
1910 switch (cmds) {
1911 case Q_SYNC:
1912 case Q_QUOTAON:
1913 case Q_QUOTAOFF:
1914 case Q_SETINFO:
1915 case Q_SETQUOTA:
1916 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1917 break;
1918 case Q_GETFMT:
1919 case Q_GETINFO:
1920 case Q_GETQUOTA:
1921 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1922 break;
1923 default:
1924 rc = 0; /* let the kernel handle invalid cmds */
1925 break;
1926 }
1927 return rc;
1928 }
1929
1930 static int selinux_quota_on(struct dentry *dentry)
1931 {
1932 const struct cred *cred = current_cred();
1933
1934 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1935 }
1936
1937 static int selinux_syslog(int type)
1938 {
1939 int rc;
1940
1941 switch (type) {
1942 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1943 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1944 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1945 break;
1946 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1947 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1948 /* Set level of messages printed to console */
1949 case SYSLOG_ACTION_CONSOLE_LEVEL:
1950 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1951 break;
1952 case SYSLOG_ACTION_CLOSE: /* Close log */
1953 case SYSLOG_ACTION_OPEN: /* Open log */
1954 case SYSLOG_ACTION_READ: /* Read from log */
1955 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1956 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1957 default:
1958 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1959 break;
1960 }
1961 return rc;
1962 }
1963
1964 /*
1965 * Check that a process has enough memory to allocate a new virtual
1966 * mapping. 0 means there is enough memory for the allocation to
1967 * succeed and -ENOMEM implies there is not.
1968 *
1969 * Do not audit the selinux permission check, as this is applied to all
1970 * processes that allocate mappings.
1971 */
1972 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1973 {
1974 int rc, cap_sys_admin = 0;
1975
1976 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1977 SECURITY_CAP_NOAUDIT);
1978 if (rc == 0)
1979 cap_sys_admin = 1;
1980
1981 return __vm_enough_memory(mm, pages, cap_sys_admin);
1982 }
1983
1984 /* binprm security operations */
1985
1986 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1987 {
1988 const struct task_security_struct *old_tsec;
1989 struct task_security_struct *new_tsec;
1990 struct inode_security_struct *isec;
1991 struct common_audit_data ad;
1992 struct inode *inode = file_inode(bprm->file);
1993 int rc;
1994
1995 rc = cap_bprm_set_creds(bprm);
1996 if (rc)
1997 return rc;
1998
1999 /* SELinux context only depends on initial program or script and not
2000 * the script interpreter */
2001 if (bprm->cred_prepared)
2002 return 0;
2003
2004 old_tsec = current_security();
2005 new_tsec = bprm->cred->security;
2006 isec = inode->i_security;
2007
2008 /* Default to the current task SID. */
2009 new_tsec->sid = old_tsec->sid;
2010 new_tsec->osid = old_tsec->sid;
2011
2012 /* Reset fs, key, and sock SIDs on execve. */
2013 new_tsec->create_sid = 0;
2014 new_tsec->keycreate_sid = 0;
2015 new_tsec->sockcreate_sid = 0;
2016
2017 if (old_tsec->exec_sid) {
2018 new_tsec->sid = old_tsec->exec_sid;
2019 /* Reset exec SID on execve. */
2020 new_tsec->exec_sid = 0;
2021
2022 /*
2023 * Minimize confusion: if no_new_privs and a transition is
2024 * explicitly requested, then fail the exec.
2025 */
2026 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2027 return -EPERM;
2028 } else {
2029 /* Check for a default transition on this program. */
2030 rc = security_transition_sid(old_tsec->sid, isec->sid,
2031 SECCLASS_PROCESS, NULL,
2032 &new_tsec->sid);
2033 if (rc)
2034 return rc;
2035 }
2036
2037 ad.type = LSM_AUDIT_DATA_PATH;
2038 ad.u.path = bprm->file->f_path;
2039
2040 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2041 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2042 new_tsec->sid = old_tsec->sid;
2043
2044 if (new_tsec->sid == old_tsec->sid) {
2045 rc = avc_has_perm(old_tsec->sid, isec->sid,
2046 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2047 if (rc)
2048 return rc;
2049 } else {
2050 /* Check permissions for the transition. */
2051 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2052 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2053 if (rc)
2054 return rc;
2055
2056 rc = avc_has_perm(new_tsec->sid, isec->sid,
2057 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2058 if (rc)
2059 return rc;
2060
2061 /* Check for shared state */
2062 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2063 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2064 SECCLASS_PROCESS, PROCESS__SHARE,
2065 NULL);
2066 if (rc)
2067 return -EPERM;
2068 }
2069
2070 /* Make sure that anyone attempting to ptrace over a task that
2071 * changes its SID has the appropriate permit */
2072 if (bprm->unsafe &
2073 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2074 struct task_struct *tracer;
2075 struct task_security_struct *sec;
2076 u32 ptsid = 0;
2077
2078 rcu_read_lock();
2079 tracer = ptrace_parent(current);
2080 if (likely(tracer != NULL)) {
2081 sec = __task_cred(tracer)->security;
2082 ptsid = sec->sid;
2083 }
2084 rcu_read_unlock();
2085
2086 if (ptsid != 0) {
2087 rc = avc_has_perm(ptsid, new_tsec->sid,
2088 SECCLASS_PROCESS,
2089 PROCESS__PTRACE, NULL);
2090 if (rc)
2091 return -EPERM;
2092 }
2093 }
2094
2095 /* Clear any possibly unsafe personality bits on exec: */
2096 bprm->per_clear |= PER_CLEAR_ON_SETID;
2097 }
2098
2099 return 0;
2100 }
2101
2102 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2103 {
2104 const struct task_security_struct *tsec = current_security();
2105 u32 sid, osid;
2106 int atsecure = 0;
2107
2108 sid = tsec->sid;
2109 osid = tsec->osid;
2110
2111 if (osid != sid) {
2112 /* Enable secure mode for SIDs transitions unless
2113 the noatsecure permission is granted between
2114 the two SIDs, i.e. ahp returns 0. */
2115 atsecure = avc_has_perm(osid, sid,
2116 SECCLASS_PROCESS,
2117 PROCESS__NOATSECURE, NULL);
2118 }
2119
2120 return (atsecure || cap_bprm_secureexec(bprm));
2121 }
2122
2123 static int match_file(const void *p, struct file *file, unsigned fd)
2124 {
2125 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2126 }
2127
2128 /* Derived from fs/exec.c:flush_old_files. */
2129 static inline void flush_unauthorized_files(const struct cred *cred,
2130 struct files_struct *files)
2131 {
2132 struct file *file, *devnull = NULL;
2133 struct tty_struct *tty;
2134 int drop_tty = 0;
2135 unsigned n;
2136
2137 tty = get_current_tty();
2138 if (tty) {
2139 spin_lock(&tty_files_lock);
2140 if (!list_empty(&tty->tty_files)) {
2141 struct tty_file_private *file_priv;
2142
2143 /* Revalidate access to controlling tty.
2144 Use path_has_perm on the tty path directly rather
2145 than using file_has_perm, as this particular open
2146 file may belong to another process and we are only
2147 interested in the inode-based check here. */
2148 file_priv = list_first_entry(&tty->tty_files,
2149 struct tty_file_private, list);
2150 file = file_priv->file;
2151 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2152 drop_tty = 1;
2153 }
2154 spin_unlock(&tty_files_lock);
2155 tty_kref_put(tty);
2156 }
2157 /* Reset controlling tty. */
2158 if (drop_tty)
2159 no_tty();
2160
2161 /* Revalidate access to inherited open files. */
2162 n = iterate_fd(files, 0, match_file, cred);
2163 if (!n) /* none found? */
2164 return;
2165
2166 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2167 if (IS_ERR(devnull))
2168 devnull = NULL;
2169 /* replace all the matching ones with this */
2170 do {
2171 replace_fd(n - 1, devnull, 0);
2172 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2173 if (devnull)
2174 fput(devnull);
2175 }
2176
2177 /*
2178 * Prepare a process for imminent new credential changes due to exec
2179 */
2180 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2181 {
2182 struct task_security_struct *new_tsec;
2183 struct rlimit *rlim, *initrlim;
2184 int rc, i;
2185
2186 new_tsec = bprm->cred->security;
2187 if (new_tsec->sid == new_tsec->osid)
2188 return;
2189
2190 /* Close files for which the new task SID is not authorized. */
2191 flush_unauthorized_files(bprm->cred, current->files);
2192
2193 /* Always clear parent death signal on SID transitions. */
2194 current->pdeath_signal = 0;
2195
2196 /* Check whether the new SID can inherit resource limits from the old
2197 * SID. If not, reset all soft limits to the lower of the current
2198 * task's hard limit and the init task's soft limit.
2199 *
2200 * Note that the setting of hard limits (even to lower them) can be
2201 * controlled by the setrlimit check. The inclusion of the init task's
2202 * soft limit into the computation is to avoid resetting soft limits
2203 * higher than the default soft limit for cases where the default is
2204 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2205 */
2206 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2207 PROCESS__RLIMITINH, NULL);
2208 if (rc) {
2209 /* protect against do_prlimit() */
2210 task_lock(current);
2211 for (i = 0; i < RLIM_NLIMITS; i++) {
2212 rlim = current->signal->rlim + i;
2213 initrlim = init_task.signal->rlim + i;
2214 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2215 }
2216 task_unlock(current);
2217 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2218 }
2219 }
2220
2221 /*
2222 * Clean up the process immediately after the installation of new credentials
2223 * due to exec
2224 */
2225 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2226 {
2227 const struct task_security_struct *tsec = current_security();
2228 struct itimerval itimer;
2229 u32 osid, sid;
2230 int rc, i;
2231
2232 osid = tsec->osid;
2233 sid = tsec->sid;
2234
2235 if (sid == osid)
2236 return;
2237
2238 /* Check whether the new SID can inherit signal state from the old SID.
2239 * If not, clear itimers to avoid subsequent signal generation and
2240 * flush and unblock signals.
2241 *
2242 * This must occur _after_ the task SID has been updated so that any
2243 * kill done after the flush will be checked against the new SID.
2244 */
2245 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2246 if (rc) {
2247 memset(&itimer, 0, sizeof itimer);
2248 for (i = 0; i < 3; i++)
2249 do_setitimer(i, &itimer, NULL);
2250 spin_lock_irq(&current->sighand->siglock);
2251 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2252 __flush_signals(current);
2253 flush_signal_handlers(current, 1);
2254 sigemptyset(&current->blocked);
2255 }
2256 spin_unlock_irq(&current->sighand->siglock);
2257 }
2258
2259 /* Wake up the parent if it is waiting so that it can recheck
2260 * wait permission to the new task SID. */
2261 read_lock(&tasklist_lock);
2262 __wake_up_parent(current, current->real_parent);
2263 read_unlock(&tasklist_lock);
2264 }
2265
2266 /* superblock security operations */
2267
2268 static int selinux_sb_alloc_security(struct super_block *sb)
2269 {
2270 return superblock_alloc_security(sb);
2271 }
2272
2273 static void selinux_sb_free_security(struct super_block *sb)
2274 {
2275 superblock_free_security(sb);
2276 }
2277
2278 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2279 {
2280 if (plen > olen)
2281 return 0;
2282
2283 return !memcmp(prefix, option, plen);
2284 }
2285
2286 static inline int selinux_option(char *option, int len)
2287 {
2288 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2289 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2290 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2291 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2292 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2293 }
2294
2295 static inline void take_option(char **to, char *from, int *first, int len)
2296 {
2297 if (!*first) {
2298 **to = ',';
2299 *to += 1;
2300 } else
2301 *first = 0;
2302 memcpy(*to, from, len);
2303 *to += len;
2304 }
2305
2306 static inline void take_selinux_option(char **to, char *from, int *first,
2307 int len)
2308 {
2309 int current_size = 0;
2310
2311 if (!*first) {
2312 **to = '|';
2313 *to += 1;
2314 } else
2315 *first = 0;
2316
2317 while (current_size < len) {
2318 if (*from != '"') {
2319 **to = *from;
2320 *to += 1;
2321 }
2322 from += 1;
2323 current_size += 1;
2324 }
2325 }
2326
2327 static int selinux_sb_copy_data(char *orig, char *copy)
2328 {
2329 int fnosec, fsec, rc = 0;
2330 char *in_save, *in_curr, *in_end;
2331 char *sec_curr, *nosec_save, *nosec;
2332 int open_quote = 0;
2333
2334 in_curr = orig;
2335 sec_curr = copy;
2336
2337 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2338 if (!nosec) {
2339 rc = -ENOMEM;
2340 goto out;
2341 }
2342
2343 nosec_save = nosec;
2344 fnosec = fsec = 1;
2345 in_save = in_end = orig;
2346
2347 do {
2348 if (*in_end == '"')
2349 open_quote = !open_quote;
2350 if ((*in_end == ',' && open_quote == 0) ||
2351 *in_end == '\0') {
2352 int len = in_end - in_curr;
2353
2354 if (selinux_option(in_curr, len))
2355 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2356 else
2357 take_option(&nosec, in_curr, &fnosec, len);
2358
2359 in_curr = in_end + 1;
2360 }
2361 } while (*in_end++);
2362
2363 strcpy(in_save, nosec_save);
2364 free_page((unsigned long)nosec_save);
2365 out:
2366 return rc;
2367 }
2368
2369 static int selinux_sb_remount(struct super_block *sb, void *data)
2370 {
2371 int rc, i, *flags;
2372 struct security_mnt_opts opts;
2373 char *secdata, **mount_options;
2374 struct superblock_security_struct *sbsec = sb->s_security;
2375
2376 if (!(sbsec->flags & SE_SBINITIALIZED))
2377 return 0;
2378
2379 if (!data)
2380 return 0;
2381
2382 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2383 return 0;
2384
2385 security_init_mnt_opts(&opts);
2386 secdata = alloc_secdata();
2387 if (!secdata)
2388 return -ENOMEM;
2389 rc = selinux_sb_copy_data(data, secdata);
2390 if (rc)
2391 goto out_free_secdata;
2392
2393 rc = selinux_parse_opts_str(secdata, &opts);
2394 if (rc)
2395 goto out_free_secdata;
2396
2397 mount_options = opts.mnt_opts;
2398 flags = opts.mnt_opts_flags;
2399
2400 for (i = 0; i < opts.num_mnt_opts; i++) {
2401 u32 sid;
2402 size_t len;
2403
2404 if (flags[i] == SE_SBLABELSUPP)
2405 continue;
2406 len = strlen(mount_options[i]);
2407 rc = security_context_to_sid(mount_options[i], len, &sid);
2408 if (rc) {
2409 printk(KERN_WARNING "SELinux: security_context_to_sid"
2410 "(%s) failed for (dev %s, type %s) errno=%d\n",
2411 mount_options[i], sb->s_id, sb->s_type->name, rc);
2412 goto out_free_opts;
2413 }
2414 rc = -EINVAL;
2415 switch (flags[i]) {
2416 case FSCONTEXT_MNT:
2417 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2418 goto out_bad_option;
2419 break;
2420 case CONTEXT_MNT:
2421 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2422 goto out_bad_option;
2423 break;
2424 case ROOTCONTEXT_MNT: {
2425 struct inode_security_struct *root_isec;
2426 root_isec = sb->s_root->d_inode->i_security;
2427
2428 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2429 goto out_bad_option;
2430 break;
2431 }
2432 case DEFCONTEXT_MNT:
2433 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2434 goto out_bad_option;
2435 break;
2436 default:
2437 goto out_free_opts;
2438 }
2439 }
2440
2441 rc = 0;
2442 out_free_opts:
2443 security_free_mnt_opts(&opts);
2444 out_free_secdata:
2445 free_secdata(secdata);
2446 return rc;
2447 out_bad_option:
2448 printk(KERN_WARNING "SELinux: unable to change security options "
2449 "during remount (dev %s, type=%s)\n", sb->s_id,
2450 sb->s_type->name);
2451 goto out_free_opts;
2452 }
2453
2454 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2455 {
2456 const struct cred *cred = current_cred();
2457 struct common_audit_data ad;
2458 int rc;
2459
2460 rc = superblock_doinit(sb, data);
2461 if (rc)
2462 return rc;
2463
2464 /* Allow all mounts performed by the kernel */
2465 if (flags & MS_KERNMOUNT)
2466 return 0;
2467
2468 ad.type = LSM_AUDIT_DATA_DENTRY;
2469 ad.u.dentry = sb->s_root;
2470 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2471 }
2472
2473 static int selinux_sb_statfs(struct dentry *dentry)
2474 {
2475 const struct cred *cred = current_cred();
2476 struct common_audit_data ad;
2477
2478 ad.type = LSM_AUDIT_DATA_DENTRY;
2479 ad.u.dentry = dentry->d_sb->s_root;
2480 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2481 }
2482
2483 static int selinux_mount(const char *dev_name,
2484 struct path *path,
2485 const char *type,
2486 unsigned long flags,
2487 void *data)
2488 {
2489 const struct cred *cred = current_cred();
2490
2491 if (flags & MS_REMOUNT)
2492 return superblock_has_perm(cred, path->dentry->d_sb,
2493 FILESYSTEM__REMOUNT, NULL);
2494 else
2495 return path_has_perm(cred, path, FILE__MOUNTON);
2496 }
2497
2498 static int selinux_umount(struct vfsmount *mnt, int flags)
2499 {
2500 const struct cred *cred = current_cred();
2501
2502 return superblock_has_perm(cred, mnt->mnt_sb,
2503 FILESYSTEM__UNMOUNT, NULL);
2504 }
2505
2506 /* inode security operations */
2507
2508 static int selinux_inode_alloc_security(struct inode *inode)
2509 {
2510 return inode_alloc_security(inode);
2511 }
2512
2513 static void selinux_inode_free_security(struct inode *inode)
2514 {
2515 inode_free_security(inode);
2516 }
2517
2518 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2519 const struct qstr *qstr, char **name,
2520 void **value, size_t *len)
2521 {
2522 const struct task_security_struct *tsec = current_security();
2523 struct inode_security_struct *dsec;
2524 struct superblock_security_struct *sbsec;
2525 u32 sid, newsid, clen;
2526 int rc;
2527 char *namep = NULL, *context;
2528
2529 dsec = dir->i_security;
2530 sbsec = dir->i_sb->s_security;
2531
2532 sid = tsec->sid;
2533 newsid = tsec->create_sid;
2534
2535 if ((sbsec->flags & SE_SBINITIALIZED) &&
2536 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2537 newsid = sbsec->mntpoint_sid;
2538 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2539 rc = security_transition_sid(sid, dsec->sid,
2540 inode_mode_to_security_class(inode->i_mode),
2541 qstr, &newsid);
2542 if (rc) {
2543 printk(KERN_WARNING "%s: "
2544 "security_transition_sid failed, rc=%d (dev=%s "
2545 "ino=%ld)\n",
2546 __func__,
2547 -rc, inode->i_sb->s_id, inode->i_ino);
2548 return rc;
2549 }
2550 }
2551
2552 /* Possibly defer initialization to selinux_complete_init. */
2553 if (sbsec->flags & SE_SBINITIALIZED) {
2554 struct inode_security_struct *isec = inode->i_security;
2555 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2556 isec->sid = newsid;
2557 isec->initialized = 1;
2558 }
2559
2560 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2561 return -EOPNOTSUPP;
2562
2563 if (name) {
2564 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2565 if (!namep)
2566 return -ENOMEM;
2567 *name = namep;
2568 }
2569
2570 if (value && len) {
2571 rc = security_sid_to_context_force(newsid, &context, &clen);
2572 if (rc) {
2573 kfree(namep);
2574 return rc;
2575 }
2576 *value = context;
2577 *len = clen;
2578 }
2579
2580 return 0;
2581 }
2582
2583 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2584 {
2585 return may_create(dir, dentry, SECCLASS_FILE);
2586 }
2587
2588 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2589 {
2590 return may_link(dir, old_dentry, MAY_LINK);
2591 }
2592
2593 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2594 {
2595 return may_link(dir, dentry, MAY_UNLINK);
2596 }
2597
2598 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2599 {
2600 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2601 }
2602
2603 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2604 {
2605 return may_create(dir, dentry, SECCLASS_DIR);
2606 }
2607
2608 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2609 {
2610 return may_link(dir, dentry, MAY_RMDIR);
2611 }
2612
2613 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2614 {
2615 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2616 }
2617
2618 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2619 struct inode *new_inode, struct dentry *new_dentry)
2620 {
2621 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2622 }
2623
2624 static int selinux_inode_readlink(struct dentry *dentry)
2625 {
2626 const struct cred *cred = current_cred();
2627
2628 return dentry_has_perm(cred, dentry, FILE__READ);
2629 }
2630
2631 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2632 {
2633 const struct cred *cred = current_cred();
2634
2635 return dentry_has_perm(cred, dentry, FILE__READ);
2636 }
2637
2638 static noinline int audit_inode_permission(struct inode *inode,
2639 u32 perms, u32 audited, u32 denied,
2640 unsigned flags)
2641 {
2642 struct common_audit_data ad;
2643 struct inode_security_struct *isec = inode->i_security;
2644 int rc;
2645
2646 ad.type = LSM_AUDIT_DATA_INODE;
2647 ad.u.inode = inode;
2648
2649 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2650 audited, denied, &ad, flags);
2651 if (rc)
2652 return rc;
2653 return 0;
2654 }
2655
2656 static int selinux_inode_permission(struct inode *inode, int mask)
2657 {
2658 const struct cred *cred = current_cred();
2659 u32 perms;
2660 bool from_access;
2661 unsigned flags = mask & MAY_NOT_BLOCK;
2662 struct inode_security_struct *isec;
2663 u32 sid;
2664 struct av_decision avd;
2665 int rc, rc2;
2666 u32 audited, denied;
2667
2668 from_access = mask & MAY_ACCESS;
2669 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2670
2671 /* No permission to check. Existence test. */
2672 if (!mask)
2673 return 0;
2674
2675 validate_creds(cred);
2676
2677 if (unlikely(IS_PRIVATE(inode)))
2678 return 0;
2679
2680 perms = file_mask_to_av(inode->i_mode, mask);
2681
2682 sid = cred_sid(cred);
2683 isec = inode->i_security;
2684
2685 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2686 audited = avc_audit_required(perms, &avd, rc,
2687 from_access ? FILE__AUDIT_ACCESS : 0,
2688 &denied);
2689 if (likely(!audited))
2690 return rc;
2691
2692 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2693 if (rc2)
2694 return rc2;
2695 return rc;
2696 }
2697
2698 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2699 {
2700 const struct cred *cred = current_cred();
2701 unsigned int ia_valid = iattr->ia_valid;
2702 __u32 av = FILE__WRITE;
2703
2704 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2705 if (ia_valid & ATTR_FORCE) {
2706 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2707 ATTR_FORCE);
2708 if (!ia_valid)
2709 return 0;
2710 }
2711
2712 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2713 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2714 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2715
2716 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2717 av |= FILE__OPEN;
2718
2719 return dentry_has_perm(cred, dentry, av);
2720 }
2721
2722 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2723 {
2724 const struct cred *cred = current_cred();
2725 struct path path;
2726
2727 path.dentry = dentry;
2728 path.mnt = mnt;
2729
2730 return path_has_perm(cred, &path, FILE__GETATTR);
2731 }
2732
2733 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2734 {
2735 const struct cred *cred = current_cred();
2736
2737 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2738 sizeof XATTR_SECURITY_PREFIX - 1)) {
2739 if (!strcmp(name, XATTR_NAME_CAPS)) {
2740 if (!capable(CAP_SETFCAP))
2741 return -EPERM;
2742 } else if (!capable(CAP_SYS_ADMIN)) {
2743 /* A different attribute in the security namespace.
2744 Restrict to administrator. */
2745 return -EPERM;
2746 }
2747 }
2748
2749 /* Not an attribute we recognize, so just check the
2750 ordinary setattr permission. */
2751 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2752 }
2753
2754 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2755 const void *value, size_t size, int flags)
2756 {
2757 struct inode *inode = dentry->d_inode;
2758 struct inode_security_struct *isec = inode->i_security;
2759 struct superblock_security_struct *sbsec;
2760 struct common_audit_data ad;
2761 u32 newsid, sid = current_sid();
2762 int rc = 0;
2763
2764 if (strcmp(name, XATTR_NAME_SELINUX))
2765 return selinux_inode_setotherxattr(dentry, name);
2766
2767 sbsec = inode->i_sb->s_security;
2768 if (!(sbsec->flags & SE_SBLABELSUPP))
2769 return -EOPNOTSUPP;
2770
2771 if (!inode_owner_or_capable(inode))
2772 return -EPERM;
2773
2774 ad.type = LSM_AUDIT_DATA_DENTRY;
2775 ad.u.dentry = dentry;
2776
2777 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2778 FILE__RELABELFROM, &ad);
2779 if (rc)
2780 return rc;
2781
2782 rc = security_context_to_sid(value, size, &newsid);
2783 if (rc == -EINVAL) {
2784 if (!capable(CAP_MAC_ADMIN)) {
2785 struct audit_buffer *ab;
2786 size_t audit_size;
2787 const char *str;
2788
2789 /* We strip a nul only if it is at the end, otherwise the
2790 * context contains a nul and we should audit that */
2791 if (value) {
2792 str = value;
2793 if (str[size - 1] == '\0')
2794 audit_size = size - 1;
2795 else
2796 audit_size = size;
2797 } else {
2798 str = "";
2799 audit_size = 0;
2800 }
2801 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2802 audit_log_format(ab, "op=setxattr invalid_context=");
2803 audit_log_n_untrustedstring(ab, value, audit_size);
2804 audit_log_end(ab);
2805
2806 return rc;
2807 }
2808 rc = security_context_to_sid_force(value, size, &newsid);
2809 }
2810 if (rc)
2811 return rc;
2812
2813 rc = avc_has_perm(sid, newsid, isec->sclass,
2814 FILE__RELABELTO, &ad);
2815 if (rc)
2816 return rc;
2817
2818 rc = security_validate_transition(isec->sid, newsid, sid,
2819 isec->sclass);
2820 if (rc)
2821 return rc;
2822
2823 return avc_has_perm(newsid,
2824 sbsec->sid,
2825 SECCLASS_FILESYSTEM,
2826 FILESYSTEM__ASSOCIATE,
2827 &ad);
2828 }
2829
2830 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2831 const void *value, size_t size,
2832 int flags)
2833 {
2834 struct inode *inode = dentry->d_inode;
2835 struct inode_security_struct *isec = inode->i_security;
2836 u32 newsid;
2837 int rc;
2838
2839 if (strcmp(name, XATTR_NAME_SELINUX)) {
2840 /* Not an attribute we recognize, so nothing to do. */
2841 return;
2842 }
2843
2844 rc = security_context_to_sid_force(value, size, &newsid);
2845 if (rc) {
2846 printk(KERN_ERR "SELinux: unable to map context to SID"
2847 "for (%s, %lu), rc=%d\n",
2848 inode->i_sb->s_id, inode->i_ino, -rc);
2849 return;
2850 }
2851
2852 isec->sid = newsid;
2853 return;
2854 }
2855
2856 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2857 {
2858 const struct cred *cred = current_cred();
2859
2860 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2861 }
2862
2863 static int selinux_inode_listxattr(struct dentry *dentry)
2864 {
2865 const struct cred *cred = current_cred();
2866
2867 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2868 }
2869
2870 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2871 {
2872 if (strcmp(name, XATTR_NAME_SELINUX))
2873 return selinux_inode_setotherxattr(dentry, name);
2874
2875 /* No one is allowed to remove a SELinux security label.
2876 You can change the label, but all data must be labeled. */
2877 return -EACCES;
2878 }
2879
2880 /*
2881 * Copy the inode security context value to the user.
2882 *
2883 * Permission check is handled by selinux_inode_getxattr hook.
2884 */
2885 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2886 {
2887 u32 size;
2888 int error;
2889 char *context = NULL;
2890 struct inode_security_struct *isec = inode->i_security;
2891
2892 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2893 return -EOPNOTSUPP;
2894
2895 /*
2896 * If the caller has CAP_MAC_ADMIN, then get the raw context
2897 * value even if it is not defined by current policy; otherwise,
2898 * use the in-core value under current policy.
2899 * Use the non-auditing forms of the permission checks since
2900 * getxattr may be called by unprivileged processes commonly
2901 * and lack of permission just means that we fall back to the
2902 * in-core context value, not a denial.
2903 */
2904 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2905 SECURITY_CAP_NOAUDIT);
2906 if (!error)
2907 error = security_sid_to_context_force(isec->sid, &context,
2908 &size);
2909 else
2910 error = security_sid_to_context(isec->sid, &context, &size);
2911 if (error)
2912 return error;
2913 error = size;
2914 if (alloc) {
2915 *buffer = context;
2916 goto out_nofree;
2917 }
2918 kfree(context);
2919 out_nofree:
2920 return error;
2921 }
2922
2923 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2924 const void *value, size_t size, int flags)
2925 {
2926 struct inode_security_struct *isec = inode->i_security;
2927 u32 newsid;
2928 int rc;
2929
2930 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2931 return -EOPNOTSUPP;
2932
2933 if (!value || !size)
2934 return -EACCES;
2935
2936 rc = security_context_to_sid((void *)value, size, &newsid);
2937 if (rc)
2938 return rc;
2939
2940 isec->sid = newsid;
2941 isec->initialized = 1;
2942 return 0;
2943 }
2944
2945 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2946 {
2947 const int len = sizeof(XATTR_NAME_SELINUX);
2948 if (buffer && len <= buffer_size)
2949 memcpy(buffer, XATTR_NAME_SELINUX, len);
2950 return len;
2951 }
2952
2953 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2954 {
2955 struct inode_security_struct *isec = inode->i_security;
2956 *secid = isec->sid;
2957 }
2958
2959 /* file security operations */
2960
2961 static int selinux_revalidate_file_permission(struct file *file, int mask)
2962 {
2963 const struct cred *cred = current_cred();
2964 struct inode *inode = file_inode(file);
2965
2966 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2967 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2968 mask |= MAY_APPEND;
2969
2970 return file_has_perm(cred, file,
2971 file_mask_to_av(inode->i_mode, mask));
2972 }
2973
2974 static int selinux_file_permission(struct file *file, int mask)
2975 {
2976 struct inode *inode = file_inode(file);
2977 struct file_security_struct *fsec = file->f_security;
2978 struct inode_security_struct *isec = inode->i_security;
2979 u32 sid = current_sid();
2980
2981 if (!mask)
2982 /* No permission to check. Existence test. */
2983 return 0;
2984
2985 if (sid == fsec->sid && fsec->isid == isec->sid &&
2986 fsec->pseqno == avc_policy_seqno())
2987 /* No change since file_open check. */
2988 return 0;
2989
2990 return selinux_revalidate_file_permission(file, mask);
2991 }
2992
2993 static int selinux_file_alloc_security(struct file *file)
2994 {
2995 return file_alloc_security(file);
2996 }
2997
2998 static void selinux_file_free_security(struct file *file)
2999 {
3000 file_free_security(file);
3001 }
3002
3003 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3004 unsigned long arg)
3005 {
3006 const struct cred *cred = current_cred();
3007 int error = 0;
3008
3009 switch (cmd) {
3010 case FIONREAD:
3011 /* fall through */
3012 case FIBMAP:
3013 /* fall through */
3014 case FIGETBSZ:
3015 /* fall through */
3016 case FS_IOC_GETFLAGS:
3017 /* fall through */
3018 case FS_IOC_GETVERSION:
3019 error = file_has_perm(cred, file, FILE__GETATTR);
3020 break;
3021
3022 case FS_IOC_SETFLAGS:
3023 /* fall through */
3024 case FS_IOC_SETVERSION:
3025 error = file_has_perm(cred, file, FILE__SETATTR);
3026 break;
3027
3028 /* sys_ioctl() checks */
3029 case FIONBIO:
3030 /* fall through */
3031 case FIOASYNC:
3032 error = file_has_perm(cred, file, 0);
3033 break;
3034
3035 case KDSKBENT:
3036 case KDSKBSENT:
3037 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3038 SECURITY_CAP_AUDIT);
3039 break;
3040
3041 /* default case assumes that the command will go
3042 * to the file's ioctl() function.
3043 */
3044 default:
3045 error = file_has_perm(cred, file, FILE__IOCTL);
3046 }
3047 return error;
3048 }
3049
3050 static int default_noexec;
3051
3052 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3053 {
3054 const struct cred *cred = current_cred();
3055 int rc = 0;
3056
3057 if (default_noexec &&
3058 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3059 /*
3060 * We are making executable an anonymous mapping or a
3061 * private file mapping that will also be writable.
3062 * This has an additional check.
3063 */
3064 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3065 if (rc)
3066 goto error;
3067 }
3068
3069 if (file) {
3070 /* read access is always possible with a mapping */
3071 u32 av = FILE__READ;
3072
3073 /* write access only matters if the mapping is shared */
3074 if (shared && (prot & PROT_WRITE))
3075 av |= FILE__WRITE;
3076
3077 if (prot & PROT_EXEC)
3078 av |= FILE__EXECUTE;
3079
3080 return file_has_perm(cred, file, av);
3081 }
3082
3083 error:
3084 return rc;
3085 }
3086
3087 static int selinux_mmap_addr(unsigned long addr)
3088 {
3089 int rc = 0;
3090 u32 sid = current_sid();
3091
3092 /*
3093 * notice that we are intentionally putting the SELinux check before
3094 * the secondary cap_file_mmap check. This is such a likely attempt
3095 * at bad behaviour/exploit that we always want to get the AVC, even
3096 * if DAC would have also denied the operation.
3097 */
3098 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3099 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3100 MEMPROTECT__MMAP_ZERO, NULL);
3101 if (rc)
3102 return rc;
3103 }
3104
3105 /* do DAC check on address space usage */
3106 return cap_mmap_addr(addr);
3107 }
3108
3109 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3110 unsigned long prot, unsigned long flags)
3111 {
3112 if (selinux_checkreqprot)
3113 prot = reqprot;
3114
3115 return file_map_prot_check(file, prot,
3116 (flags & MAP_TYPE) == MAP_SHARED);
3117 }
3118
3119 static int selinux_file_mprotect(struct vm_area_struct *vma,
3120 unsigned long reqprot,
3121 unsigned long prot)
3122 {
3123 const struct cred *cred = current_cred();
3124
3125 if (selinux_checkreqprot)
3126 prot = reqprot;
3127
3128 if (default_noexec &&
3129 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3130 int rc = 0;
3131 if (vma->vm_start >= vma->vm_mm->start_brk &&
3132 vma->vm_end <= vma->vm_mm->brk) {
3133 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3134 } else if (!vma->vm_file &&
3135 vma->vm_start <= vma->vm_mm->start_stack &&
3136 vma->vm_end >= vma->vm_mm->start_stack) {
3137 rc = current_has_perm(current, PROCESS__EXECSTACK);
3138 } else if (vma->vm_file && vma->anon_vma) {
3139 /*
3140 * We are making executable a file mapping that has
3141 * had some COW done. Since pages might have been
3142 * written, check ability to execute the possibly
3143 * modified content. This typically should only
3144 * occur for text relocations.
3145 */
3146 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3147 }
3148 if (rc)
3149 return rc;
3150 }
3151
3152 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3153 }
3154
3155 static int selinux_file_lock(struct file *file, unsigned int cmd)
3156 {
3157 const struct cred *cred = current_cred();
3158
3159 return file_has_perm(cred, file, FILE__LOCK);
3160 }
3161
3162 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3163 unsigned long arg)
3164 {
3165 const struct cred *cred = current_cred();
3166 int err = 0;
3167
3168 switch (cmd) {
3169 case F_SETFL:
3170 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3171 err = file_has_perm(cred, file, FILE__WRITE);
3172 break;
3173 }
3174 /* fall through */
3175 case F_SETOWN:
3176 case F_SETSIG:
3177 case F_GETFL:
3178 case F_GETOWN:
3179 case F_GETSIG:
3180 case F_GETOWNER_UIDS:
3181 /* Just check FD__USE permission */
3182 err = file_has_perm(cred, file, 0);
3183 break;
3184 case F_GETLK:
3185 case F_SETLK:
3186 case F_SETLKW:
3187 #if BITS_PER_LONG == 32
3188 case F_GETLK64:
3189 case F_SETLK64:
3190 case F_SETLKW64:
3191 #endif
3192 err = file_has_perm(cred, file, FILE__LOCK);
3193 break;
3194 }
3195
3196 return err;
3197 }
3198
3199 static int selinux_file_set_fowner(struct file *file)
3200 {
3201 struct file_security_struct *fsec;
3202
3203 fsec = file->f_security;
3204 fsec->fown_sid = current_sid();
3205
3206 return 0;
3207 }
3208
3209 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3210 struct fown_struct *fown, int signum)
3211 {
3212 struct file *file;
3213 u32 sid = task_sid(tsk);
3214 u32 perm;
3215 struct file_security_struct *fsec;
3216
3217 /* struct fown_struct is never outside the context of a struct file */
3218 file = container_of(fown, struct file, f_owner);
3219
3220 fsec = file->f_security;
3221
3222 if (!signum)
3223 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3224 else
3225 perm = signal_to_av(signum);
3226
3227 return avc_has_perm(fsec->fown_sid, sid,
3228 SECCLASS_PROCESS, perm, NULL);
3229 }
3230
3231 static int selinux_file_receive(struct file *file)
3232 {
3233 const struct cred *cred = current_cred();
3234
3235 return file_has_perm(cred, file, file_to_av(file));
3236 }
3237
3238 static int selinux_file_open(struct file *file, const struct cred *cred)
3239 {
3240 struct file_security_struct *fsec;
3241 struct inode_security_struct *isec;
3242
3243 fsec = file->f_security;
3244 isec = file_inode(file)->i_security;
3245 /*
3246 * Save inode label and policy sequence number
3247 * at open-time so that selinux_file_permission
3248 * can determine whether revalidation is necessary.
3249 * Task label is already saved in the file security
3250 * struct as its SID.
3251 */
3252 fsec->isid = isec->sid;
3253 fsec->pseqno = avc_policy_seqno();
3254 /*
3255 * Since the inode label or policy seqno may have changed
3256 * between the selinux_inode_permission check and the saving
3257 * of state above, recheck that access is still permitted.
3258 * Otherwise, access might never be revalidated against the
3259 * new inode label or new policy.
3260 * This check is not redundant - do not remove.
3261 */
3262 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3263 }
3264
3265 /* task security operations */
3266
3267 static int selinux_task_create(unsigned long clone_flags)
3268 {
3269 return current_has_perm(current, PROCESS__FORK);
3270 }
3271
3272 /*
3273 * allocate the SELinux part of blank credentials
3274 */
3275 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3276 {
3277 struct task_security_struct *tsec;
3278
3279 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3280 if (!tsec)
3281 return -ENOMEM;
3282
3283 cred->security = tsec;
3284 return 0;
3285 }
3286
3287 /*
3288 * detach and free the LSM part of a set of credentials
3289 */
3290 static void selinux_cred_free(struct cred *cred)
3291 {
3292 struct task_security_struct *tsec = cred->security;
3293
3294 /*
3295 * cred->security == NULL if security_cred_alloc_blank() or
3296 * security_prepare_creds() returned an error.
3297 */
3298 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3299 cred->security = (void *) 0x7UL;
3300 kfree(tsec);
3301 }
3302
3303 /*
3304 * prepare a new set of credentials for modification
3305 */
3306 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3307 gfp_t gfp)
3308 {
3309 const struct task_security_struct *old_tsec;
3310 struct task_security_struct *tsec;
3311
3312 old_tsec = old->security;
3313
3314 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3315 if (!tsec)
3316 return -ENOMEM;
3317
3318 new->security = tsec;
3319 return 0;
3320 }
3321
3322 /*
3323 * transfer the SELinux data to a blank set of creds
3324 */
3325 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3326 {
3327 const struct task_security_struct *old_tsec = old->security;
3328 struct task_security_struct *tsec = new->security;
3329
3330 *tsec = *old_tsec;
3331 }
3332
3333 /*
3334 * set the security data for a kernel service
3335 * - all the creation contexts are set to unlabelled
3336 */
3337 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3338 {
3339 struct task_security_struct *tsec = new->security;
3340 u32 sid = current_sid();
3341 int ret;
3342
3343 ret = avc_has_perm(sid, secid,
3344 SECCLASS_KERNEL_SERVICE,
3345 KERNEL_SERVICE__USE_AS_OVERRIDE,
3346 NULL);
3347 if (ret == 0) {
3348 tsec->sid = secid;
3349 tsec->create_sid = 0;
3350 tsec->keycreate_sid = 0;
3351 tsec->sockcreate_sid = 0;
3352 }
3353 return ret;
3354 }
3355
3356 /*
3357 * set the file creation context in a security record to the same as the
3358 * objective context of the specified inode
3359 */
3360 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3361 {
3362 struct inode_security_struct *isec = inode->i_security;
3363 struct task_security_struct *tsec = new->security;
3364 u32 sid = current_sid();
3365 int ret;
3366
3367 ret = avc_has_perm(sid, isec->sid,
3368 SECCLASS_KERNEL_SERVICE,
3369 KERNEL_SERVICE__CREATE_FILES_AS,
3370 NULL);
3371
3372 if (ret == 0)
3373 tsec->create_sid = isec->sid;
3374 return ret;
3375 }
3376
3377 static int selinux_kernel_module_request(char *kmod_name)
3378 {
3379 u32 sid;
3380 struct common_audit_data ad;
3381
3382 sid = task_sid(current);
3383
3384 ad.type = LSM_AUDIT_DATA_KMOD;
3385 ad.u.kmod_name = kmod_name;
3386
3387 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3388 SYSTEM__MODULE_REQUEST, &ad);
3389 }
3390
3391 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3392 {
3393 return current_has_perm(p, PROCESS__SETPGID);
3394 }
3395
3396 static int selinux_task_getpgid(struct task_struct *p)
3397 {
3398 return current_has_perm(p, PROCESS__GETPGID);
3399 }
3400
3401 static int selinux_task_getsid(struct task_struct *p)
3402 {
3403 return current_has_perm(p, PROCESS__GETSESSION);
3404 }
3405
3406 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3407 {
3408 *secid = task_sid(p);
3409 }
3410
3411 static int selinux_task_setnice(struct task_struct *p, int nice)
3412 {
3413 int rc;
3414
3415 rc = cap_task_setnice(p, nice);
3416 if (rc)
3417 return rc;
3418
3419 return current_has_perm(p, PROCESS__SETSCHED);
3420 }
3421
3422 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3423 {
3424 int rc;
3425
3426 rc = cap_task_setioprio(p, ioprio);
3427 if (rc)
3428 return rc;
3429
3430 return current_has_perm(p, PROCESS__SETSCHED);
3431 }
3432
3433 static int selinux_task_getioprio(struct task_struct *p)
3434 {
3435 return current_has_perm(p, PROCESS__GETSCHED);
3436 }
3437
3438 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3439 struct rlimit *new_rlim)
3440 {
3441 struct rlimit *old_rlim = p->signal->rlim + resource;
3442
3443 /* Control the ability to change the hard limit (whether
3444 lowering or raising it), so that the hard limit can
3445 later be used as a safe reset point for the soft limit
3446 upon context transitions. See selinux_bprm_committing_creds. */
3447 if (old_rlim->rlim_max != new_rlim->rlim_max)
3448 return current_has_perm(p, PROCESS__SETRLIMIT);
3449
3450 return 0;
3451 }
3452
3453 static int selinux_task_setscheduler(struct task_struct *p)
3454 {
3455 int rc;
3456
3457 rc = cap_task_setscheduler(p);
3458 if (rc)
3459 return rc;
3460
3461 return current_has_perm(p, PROCESS__SETSCHED);
3462 }
3463
3464 static int selinux_task_getscheduler(struct task_struct *p)
3465 {
3466 return current_has_perm(p, PROCESS__GETSCHED);
3467 }
3468
3469 static int selinux_task_movememory(struct task_struct *p)
3470 {
3471 return current_has_perm(p, PROCESS__SETSCHED);
3472 }
3473
3474 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3475 int sig, u32 secid)
3476 {
3477 u32 perm;
3478 int rc;
3479
3480 if (!sig)
3481 perm = PROCESS__SIGNULL; /* null signal; existence test */
3482 else
3483 perm = signal_to_av(sig);
3484 if (secid)
3485 rc = avc_has_perm(secid, task_sid(p),
3486 SECCLASS_PROCESS, perm, NULL);
3487 else
3488 rc = current_has_perm(p, perm);
3489 return rc;
3490 }
3491
3492 static int selinux_task_wait(struct task_struct *p)
3493 {
3494 return task_has_perm(p, current, PROCESS__SIGCHLD);
3495 }
3496
3497 static void selinux_task_to_inode(struct task_struct *p,
3498 struct inode *inode)
3499 {
3500 struct inode_security_struct *isec = inode->i_security;
3501 u32 sid = task_sid(p);
3502
3503 isec->sid = sid;
3504 isec->initialized = 1;
3505 }
3506
3507 /* Returns error only if unable to parse addresses */
3508 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3509 struct common_audit_data *ad, u8 *proto)
3510 {
3511 int offset, ihlen, ret = -EINVAL;
3512 struct iphdr _iph, *ih;
3513
3514 offset = skb_network_offset(skb);
3515 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3516 if (ih == NULL)
3517 goto out;
3518
3519 ihlen = ih->ihl * 4;
3520 if (ihlen < sizeof(_iph))
3521 goto out;
3522
3523 ad->u.net->v4info.saddr = ih->saddr;
3524 ad->u.net->v4info.daddr = ih->daddr;
3525 ret = 0;
3526
3527 if (proto)
3528 *proto = ih->protocol;
3529
3530 switch (ih->protocol) {
3531 case IPPROTO_TCP: {
3532 struct tcphdr _tcph, *th;
3533
3534 if (ntohs(ih->frag_off) & IP_OFFSET)
3535 break;
3536
3537 offset += ihlen;
3538 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3539 if (th == NULL)
3540 break;
3541
3542 ad->u.net->sport = th->source;
3543 ad->u.net->dport = th->dest;
3544 break;
3545 }
3546
3547 case IPPROTO_UDP: {
3548 struct udphdr _udph, *uh;
3549
3550 if (ntohs(ih->frag_off) & IP_OFFSET)
3551 break;
3552
3553 offset += ihlen;
3554 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3555 if (uh == NULL)
3556 break;
3557
3558 ad->u.net->sport = uh->source;
3559 ad->u.net->dport = uh->dest;
3560 break;
3561 }
3562
3563 case IPPROTO_DCCP: {
3564 struct dccp_hdr _dccph, *dh;
3565
3566 if (ntohs(ih->frag_off) & IP_OFFSET)
3567 break;
3568
3569 offset += ihlen;
3570 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3571 if (dh == NULL)
3572 break;
3573
3574 ad->u.net->sport = dh->dccph_sport;
3575 ad->u.net->dport = dh->dccph_dport;
3576 break;
3577 }
3578
3579 default:
3580 break;
3581 }
3582 out:
3583 return ret;
3584 }
3585
3586 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3587
3588 /* Returns error only if unable to parse addresses */
3589 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3590 struct common_audit_data *ad, u8 *proto)
3591 {
3592 u8 nexthdr;
3593 int ret = -EINVAL, offset;
3594 struct ipv6hdr _ipv6h, *ip6;
3595 __be16 frag_off;
3596
3597 offset = skb_network_offset(skb);
3598 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3599 if (ip6 == NULL)
3600 goto out;
3601
3602 ad->u.net->v6info.saddr = ip6->saddr;
3603 ad->u.net->v6info.daddr = ip6->daddr;
3604 ret = 0;
3605
3606 nexthdr = ip6->nexthdr;
3607 offset += sizeof(_ipv6h);
3608 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3609 if (offset < 0)
3610 goto out;
3611
3612 if (proto)
3613 *proto = nexthdr;
3614
3615 switch (nexthdr) {
3616 case IPPROTO_TCP: {
3617 struct tcphdr _tcph, *th;
3618
3619 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3620 if (th == NULL)
3621 break;
3622
3623 ad->u.net->sport = th->source;
3624 ad->u.net->dport = th->dest;
3625 break;
3626 }
3627
3628 case IPPROTO_UDP: {
3629 struct udphdr _udph, *uh;
3630
3631 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3632 if (uh == NULL)
3633 break;
3634
3635 ad->u.net->sport = uh->source;
3636 ad->u.net->dport = uh->dest;
3637 break;
3638 }
3639
3640 case IPPROTO_DCCP: {
3641 struct dccp_hdr _dccph, *dh;
3642
3643 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3644 if (dh == NULL)
3645 break;
3646
3647 ad->u.net->sport = dh->dccph_sport;
3648 ad->u.net->dport = dh->dccph_dport;
3649 break;
3650 }
3651
3652 /* includes fragments */
3653 default:
3654 break;
3655 }
3656 out:
3657 return ret;
3658 }
3659
3660 #endif /* IPV6 */
3661
3662 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3663 char **_addrp, int src, u8 *proto)
3664 {
3665 char *addrp;
3666 int ret;
3667
3668 switch (ad->u.net->family) {
3669 case PF_INET:
3670 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3671 if (ret)
3672 goto parse_error;
3673 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3674 &ad->u.net->v4info.daddr);
3675 goto okay;
3676
3677 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3678 case PF_INET6:
3679 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3680 if (ret)
3681 goto parse_error;
3682 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3683 &ad->u.net->v6info.daddr);
3684 goto okay;
3685 #endif /* IPV6 */
3686 default:
3687 addrp = NULL;
3688 goto okay;
3689 }
3690
3691 parse_error:
3692 printk(KERN_WARNING
3693 "SELinux: failure in selinux_parse_skb(),"
3694 " unable to parse packet\n");
3695 return ret;
3696
3697 okay:
3698 if (_addrp)
3699 *_addrp = addrp;
3700 return 0;
3701 }
3702
3703 /**
3704 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3705 * @skb: the packet
3706 * @family: protocol family
3707 * @sid: the packet's peer label SID
3708 *
3709 * Description:
3710 * Check the various different forms of network peer labeling and determine
3711 * the peer label/SID for the packet; most of the magic actually occurs in
3712 * the security server function security_net_peersid_cmp(). The function
3713 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3714 * or -EACCES if @sid is invalid due to inconsistencies with the different
3715 * peer labels.
3716 *
3717 */
3718 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3719 {
3720 int err;
3721 u32 xfrm_sid;
3722 u32 nlbl_sid;
3723 u32 nlbl_type;
3724
3725 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3726 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3727
3728 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3729 if (unlikely(err)) {
3730 printk(KERN_WARNING
3731 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3732 " unable to determine packet's peer label\n");
3733 return -EACCES;
3734 }
3735
3736 return 0;
3737 }
3738
3739 /* socket security operations */
3740
3741 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3742 u16 secclass, u32 *socksid)
3743 {
3744 if (tsec->sockcreate_sid > SECSID_NULL) {
3745 *socksid = tsec->sockcreate_sid;
3746 return 0;
3747 }
3748
3749 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3750 socksid);
3751 }
3752
3753 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3754 {
3755 struct sk_security_struct *sksec = sk->sk_security;
3756 struct common_audit_data ad;
3757 struct lsm_network_audit net = {0,};
3758 u32 tsid = task_sid(task);
3759
3760 if (sksec->sid == SECINITSID_KERNEL)
3761 return 0;
3762
3763 ad.type = LSM_AUDIT_DATA_NET;
3764 ad.u.net = &net;
3765 ad.u.net->sk = sk;
3766
3767 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3768 }
3769
3770 static int selinux_socket_create(int family, int type,
3771 int protocol, int kern)
3772 {
3773 const struct task_security_struct *tsec = current_security();
3774 u32 newsid;
3775 u16 secclass;
3776 int rc;
3777
3778 if (kern)
3779 return 0;
3780
3781 secclass = socket_type_to_security_class(family, type, protocol);
3782 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3783 if (rc)
3784 return rc;
3785
3786 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3787 }
3788
3789 static int selinux_socket_post_create(struct socket *sock, int family,
3790 int type, int protocol, int kern)
3791 {
3792 const struct task_security_struct *tsec = current_security();
3793 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3794 struct sk_security_struct *sksec;
3795 int err = 0;
3796
3797 isec->sclass = socket_type_to_security_class(family, type, protocol);
3798
3799 if (kern)
3800 isec->sid = SECINITSID_KERNEL;
3801 else {
3802 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3803 if (err)
3804 return err;
3805 }
3806
3807 isec->initialized = 1;
3808
3809 if (sock->sk) {
3810 sksec = sock->sk->sk_security;
3811 sksec->sid = isec->sid;
3812 sksec->sclass = isec->sclass;
3813 err = selinux_netlbl_socket_post_create(sock->sk, family);
3814 }
3815
3816 return err;
3817 }
3818
3819 /* Range of port numbers used to automatically bind.
3820 Need to determine whether we should perform a name_bind
3821 permission check between the socket and the port number. */
3822
3823 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3824 {
3825 struct sock *sk = sock->sk;
3826 u16 family;
3827 int err;
3828
3829 err = sock_has_perm(current, sk, SOCKET__BIND);
3830 if (err)
3831 goto out;
3832
3833 /*
3834 * If PF_INET or PF_INET6, check name_bind permission for the port.
3835 * Multiple address binding for SCTP is not supported yet: we just
3836 * check the first address now.
3837 */
3838 family = sk->sk_family;
3839 if (family == PF_INET || family == PF_INET6) {
3840 char *addrp;
3841 struct sk_security_struct *sksec = sk->sk_security;
3842 struct common_audit_data ad;
3843 struct lsm_network_audit net = {0,};
3844 struct sockaddr_in *addr4 = NULL;
3845 struct sockaddr_in6 *addr6 = NULL;
3846 unsigned short snum;
3847 u32 sid, node_perm;
3848
3849 if (family == PF_INET) {
3850 addr4 = (struct sockaddr_in *)address;
3851 snum = ntohs(addr4->sin_port);
3852 addrp = (char *)&addr4->sin_addr.s_addr;
3853 } else {
3854 addr6 = (struct sockaddr_in6 *)address;
3855 snum = ntohs(addr6->sin6_port);
3856 addrp = (char *)&addr6->sin6_addr.s6_addr;
3857 }
3858
3859 if (snum) {
3860 int low, high;
3861
3862 inet_get_local_port_range(&low, &high);
3863
3864 if (snum < max(PROT_SOCK, low) || snum > high) {
3865 err = sel_netport_sid(sk->sk_protocol,
3866 snum, &sid);
3867 if (err)
3868 goto out;
3869 ad.type = LSM_AUDIT_DATA_NET;
3870 ad.u.net = &net;
3871 ad.u.net->sport = htons(snum);
3872 ad.u.net->family = family;
3873 err = avc_has_perm(sksec->sid, sid,
3874 sksec->sclass,
3875 SOCKET__NAME_BIND, &ad);
3876 if (err)
3877 goto out;
3878 }
3879 }
3880
3881 switch (sksec->sclass) {
3882 case SECCLASS_TCP_SOCKET:
3883 node_perm = TCP_SOCKET__NODE_BIND;
3884 break;
3885
3886 case SECCLASS_UDP_SOCKET:
3887 node_perm = UDP_SOCKET__NODE_BIND;
3888 break;
3889
3890 case SECCLASS_DCCP_SOCKET:
3891 node_perm = DCCP_SOCKET__NODE_BIND;
3892 break;
3893
3894 default:
3895 node_perm = RAWIP_SOCKET__NODE_BIND;
3896 break;
3897 }
3898
3899 err = sel_netnode_sid(addrp, family, &sid);
3900 if (err)
3901 goto out;
3902
3903 ad.type = LSM_AUDIT_DATA_NET;
3904 ad.u.net = &net;
3905 ad.u.net->sport = htons(snum);
3906 ad.u.net->family = family;
3907
3908 if (family == PF_INET)
3909 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3910 else
3911 ad.u.net->v6info.saddr = addr6->sin6_addr;
3912
3913 err = avc_has_perm(sksec->sid, sid,
3914 sksec->sclass, node_perm, &ad);
3915 if (err)
3916 goto out;
3917 }
3918 out:
3919 return err;
3920 }
3921
3922 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3923 {
3924 struct sock *sk = sock->sk;
3925 struct sk_security_struct *sksec = sk->sk_security;
3926 int err;
3927
3928 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3929 if (err)
3930 return err;
3931
3932 /*
3933 * If a TCP or DCCP socket, check name_connect permission for the port.
3934 */
3935 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3936 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3937 struct common_audit_data ad;
3938 struct lsm_network_audit net = {0,};
3939 struct sockaddr_in *addr4 = NULL;
3940 struct sockaddr_in6 *addr6 = NULL;
3941 unsigned short snum;
3942 u32 sid, perm;
3943
3944 if (sk->sk_family == PF_INET) {
3945 addr4 = (struct sockaddr_in *)address;
3946 if (addrlen < sizeof(struct sockaddr_in))
3947 return -EINVAL;
3948 snum = ntohs(addr4->sin_port);
3949 } else {
3950 addr6 = (struct sockaddr_in6 *)address;
3951 if (addrlen < SIN6_LEN_RFC2133)
3952 return -EINVAL;
3953 snum = ntohs(addr6->sin6_port);
3954 }
3955
3956 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3957 if (err)
3958 goto out;
3959
3960 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3961 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3962
3963 ad.type = LSM_AUDIT_DATA_NET;
3964 ad.u.net = &net;
3965 ad.u.net->dport = htons(snum);
3966 ad.u.net->family = sk->sk_family;
3967 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3968 if (err)
3969 goto out;
3970 }
3971
3972 err = selinux_netlbl_socket_connect(sk, address);
3973
3974 out:
3975 return err;
3976 }
3977
3978 static int selinux_socket_listen(struct socket *sock, int backlog)
3979 {
3980 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3981 }
3982
3983 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3984 {
3985 int err;
3986 struct inode_security_struct *isec;
3987 struct inode_security_struct *newisec;
3988
3989 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3990 if (err)
3991 return err;
3992
3993 newisec = SOCK_INODE(newsock)->i_security;
3994
3995 isec = SOCK_INODE(sock)->i_security;
3996 newisec->sclass = isec->sclass;
3997 newisec->sid = isec->sid;
3998 newisec->initialized = 1;
3999
4000 return 0;
4001 }
4002
4003 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4004 int size)
4005 {
4006 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4007 }
4008
4009 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4010 int size, int flags)
4011 {
4012 return sock_has_perm(current, sock->sk, SOCKET__READ);
4013 }
4014
4015 static int selinux_socket_getsockname(struct socket *sock)
4016 {
4017 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4018 }
4019
4020 static int selinux_socket_getpeername(struct socket *sock)
4021 {
4022 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4023 }
4024
4025 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4026 {
4027 int err;
4028
4029 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4030 if (err)
4031 return err;
4032
4033 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4034 }
4035
4036 static int selinux_socket_getsockopt(struct socket *sock, int level,
4037 int optname)
4038 {
4039 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4040 }
4041
4042 static int selinux_socket_shutdown(struct socket *sock, int how)
4043 {
4044 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4045 }
4046
4047 static int selinux_socket_unix_stream_connect(struct sock *sock,
4048 struct sock *other,
4049 struct sock *newsk)
4050 {
4051 struct sk_security_struct *sksec_sock = sock->sk_security;
4052 struct sk_security_struct *sksec_other = other->sk_security;
4053 struct sk_security_struct *sksec_new = newsk->sk_security;
4054 struct common_audit_data ad;
4055 struct lsm_network_audit net = {0,};
4056 int err;
4057
4058 ad.type = LSM_AUDIT_DATA_NET;
4059 ad.u.net = &net;
4060 ad.u.net->sk = other;
4061
4062 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4063 sksec_other->sclass,
4064 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4065 if (err)
4066 return err;
4067
4068 /* server child socket */
4069 sksec_new->peer_sid = sksec_sock->sid;
4070 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4071 &sksec_new->sid);
4072 if (err)
4073 return err;
4074
4075 /* connecting socket */
4076 sksec_sock->peer_sid = sksec_new->sid;
4077
4078 return 0;
4079 }
4080
4081 static int selinux_socket_unix_may_send(struct socket *sock,
4082 struct socket *other)
4083 {
4084 struct sk_security_struct *ssec = sock->sk->sk_security;
4085 struct sk_security_struct *osec = other->sk->sk_security;
4086 struct common_audit_data ad;
4087 struct lsm_network_audit net = {0,};
4088
4089 ad.type = LSM_AUDIT_DATA_NET;
4090 ad.u.net = &net;
4091 ad.u.net->sk = other->sk;
4092
4093 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4094 &ad);
4095 }
4096
4097 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4098 u32 peer_sid,
4099 struct common_audit_data *ad)
4100 {
4101 int err;
4102 u32 if_sid;
4103 u32 node_sid;
4104
4105 err = sel_netif_sid(ifindex, &if_sid);
4106 if (err)
4107 return err;
4108 err = avc_has_perm(peer_sid, if_sid,
4109 SECCLASS_NETIF, NETIF__INGRESS, ad);
4110 if (err)
4111 return err;
4112
4113 err = sel_netnode_sid(addrp, family, &node_sid);
4114 if (err)
4115 return err;
4116 return avc_has_perm(peer_sid, node_sid,
4117 SECCLASS_NODE, NODE__RECVFROM, ad);
4118 }
4119
4120 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4121 u16 family)
4122 {
4123 int err = 0;
4124 struct sk_security_struct *sksec = sk->sk_security;
4125 u32 sk_sid = sksec->sid;
4126 struct common_audit_data ad;
4127 struct lsm_network_audit net = {0,};
4128 char *addrp;
4129
4130 ad.type = LSM_AUDIT_DATA_NET;
4131 ad.u.net = &net;
4132 ad.u.net->netif = skb->skb_iif;
4133 ad.u.net->family = family;
4134 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4135 if (err)
4136 return err;
4137
4138 if (selinux_secmark_enabled()) {
4139 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4140 PACKET__RECV, &ad);
4141 if (err)
4142 return err;
4143 }
4144
4145 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4146 if (err)
4147 return err;
4148 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4149
4150 return err;
4151 }
4152
4153 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4154 {
4155 int err;
4156 struct sk_security_struct *sksec = sk->sk_security;
4157 u16 family = sk->sk_family;
4158 u32 sk_sid = sksec->sid;
4159 struct common_audit_data ad;
4160 struct lsm_network_audit net = {0,};
4161 char *addrp;
4162 u8 secmark_active;
4163 u8 peerlbl_active;
4164
4165 if (family != PF_INET && family != PF_INET6)
4166 return 0;
4167
4168 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4169 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4170 family = PF_INET;
4171
4172 /* If any sort of compatibility mode is enabled then handoff processing
4173 * to the selinux_sock_rcv_skb_compat() function to deal with the
4174 * special handling. We do this in an attempt to keep this function
4175 * as fast and as clean as possible. */
4176 if (!selinux_policycap_netpeer)
4177 return selinux_sock_rcv_skb_compat(sk, skb, family);
4178
4179 secmark_active = selinux_secmark_enabled();
4180 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4181 if (!secmark_active && !peerlbl_active)
4182 return 0;
4183
4184 ad.type = LSM_AUDIT_DATA_NET;
4185 ad.u.net = &net;
4186 ad.u.net->netif = skb->skb_iif;
4187 ad.u.net->family = family;
4188 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4189 if (err)
4190 return err;
4191
4192 if (peerlbl_active) {
4193 u32 peer_sid;
4194
4195 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4196 if (err)
4197 return err;
4198 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4199 peer_sid, &ad);
4200 if (err) {
4201 selinux_netlbl_err(skb, err, 0);
4202 return err;
4203 }
4204 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4205 PEER__RECV, &ad);
4206 if (err)
4207 selinux_netlbl_err(skb, err, 0);
4208 }
4209
4210 if (secmark_active) {
4211 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4212 PACKET__RECV, &ad);
4213 if (err)
4214 return err;
4215 }
4216
4217 return err;
4218 }
4219
4220 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4221 int __user *optlen, unsigned len)
4222 {
4223 int err = 0;
4224 char *scontext;
4225 u32 scontext_len;
4226 struct sk_security_struct *sksec = sock->sk->sk_security;
4227 u32 peer_sid = SECSID_NULL;
4228
4229 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4230 sksec->sclass == SECCLASS_TCP_SOCKET)
4231 peer_sid = sksec->peer_sid;
4232 if (peer_sid == SECSID_NULL)
4233 return -ENOPROTOOPT;
4234
4235 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4236 if (err)
4237 return err;
4238
4239 if (scontext_len > len) {
4240 err = -ERANGE;
4241 goto out_len;
4242 }
4243
4244 if (copy_to_user(optval, scontext, scontext_len))
4245 err = -EFAULT;
4246
4247 out_len:
4248 if (put_user(scontext_len, optlen))
4249 err = -EFAULT;
4250 kfree(scontext);
4251 return err;
4252 }
4253
4254 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4255 {
4256 u32 peer_secid = SECSID_NULL;
4257 u16 family;
4258
4259 if (skb && skb->protocol == htons(ETH_P_IP))
4260 family = PF_INET;
4261 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4262 family = PF_INET6;
4263 else if (sock)
4264 family = sock->sk->sk_family;
4265 else
4266 goto out;
4267
4268 if (sock && family == PF_UNIX)
4269 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4270 else if (skb)
4271 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4272
4273 out:
4274 *secid = peer_secid;
4275 if (peer_secid == SECSID_NULL)
4276 return -EINVAL;
4277 return 0;
4278 }
4279
4280 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4281 {
4282 struct sk_security_struct *sksec;
4283
4284 sksec = kzalloc(sizeof(*sksec), priority);
4285 if (!sksec)
4286 return -ENOMEM;
4287
4288 sksec->peer_sid = SECINITSID_UNLABELED;
4289 sksec->sid = SECINITSID_UNLABELED;
4290 selinux_netlbl_sk_security_reset(sksec);
4291 sk->sk_security = sksec;
4292
4293 return 0;
4294 }
4295
4296 static void selinux_sk_free_security(struct sock *sk)
4297 {
4298 struct sk_security_struct *sksec = sk->sk_security;
4299
4300 sk->sk_security = NULL;
4301 selinux_netlbl_sk_security_free(sksec);
4302 kfree(sksec);
4303 }
4304
4305 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4306 {
4307 struct sk_security_struct *sksec = sk->sk_security;
4308 struct sk_security_struct *newsksec = newsk->sk_security;
4309
4310 newsksec->sid = sksec->sid;
4311 newsksec->peer_sid = sksec->peer_sid;
4312 newsksec->sclass = sksec->sclass;
4313
4314 selinux_netlbl_sk_security_reset(newsksec);
4315 }
4316
4317 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4318 {
4319 if (!sk)
4320 *secid = SECINITSID_ANY_SOCKET;
4321 else {
4322 struct sk_security_struct *sksec = sk->sk_security;
4323
4324 *secid = sksec->sid;
4325 }
4326 }
4327
4328 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4329 {
4330 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4331 struct sk_security_struct *sksec = sk->sk_security;
4332
4333 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4334 sk->sk_family == PF_UNIX)
4335 isec->sid = sksec->sid;
4336 sksec->sclass = isec->sclass;
4337 }
4338
4339 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4340 struct request_sock *req)
4341 {
4342 struct sk_security_struct *sksec = sk->sk_security;
4343 int err;
4344 u16 family = sk->sk_family;
4345 u32 newsid;
4346 u32 peersid;
4347
4348 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4349 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4350 family = PF_INET;
4351
4352 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4353 if (err)
4354 return err;
4355 if (peersid == SECSID_NULL) {
4356 req->secid = sksec->sid;
4357 req->peer_secid = SECSID_NULL;
4358 } else {
4359 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4360 if (err)
4361 return err;
4362 req->secid = newsid;
4363 req->peer_secid = peersid;
4364 }
4365
4366 return selinux_netlbl_inet_conn_request(req, family);
4367 }
4368
4369 static void selinux_inet_csk_clone(struct sock *newsk,
4370 const struct request_sock *req)
4371 {
4372 struct sk_security_struct *newsksec = newsk->sk_security;
4373
4374 newsksec->sid = req->secid;
4375 newsksec->peer_sid = req->peer_secid;
4376 /* NOTE: Ideally, we should also get the isec->sid for the
4377 new socket in sync, but we don't have the isec available yet.
4378 So we will wait until sock_graft to do it, by which
4379 time it will have been created and available. */
4380
4381 /* We don't need to take any sort of lock here as we are the only
4382 * thread with access to newsksec */
4383 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4384 }
4385
4386 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4387 {
4388 u16 family = sk->sk_family;
4389 struct sk_security_struct *sksec = sk->sk_security;
4390
4391 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4392 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4393 family = PF_INET;
4394
4395 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4396 }
4397
4398 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4399 {
4400 skb_set_owner_w(skb, sk);
4401 }
4402
4403 static int selinux_secmark_relabel_packet(u32 sid)
4404 {
4405 const struct task_security_struct *__tsec;
4406 u32 tsid;
4407
4408 __tsec = current_security();
4409 tsid = __tsec->sid;
4410
4411 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4412 }
4413
4414 static void selinux_secmark_refcount_inc(void)
4415 {
4416 atomic_inc(&selinux_secmark_refcount);
4417 }
4418
4419 static void selinux_secmark_refcount_dec(void)
4420 {
4421 atomic_dec(&selinux_secmark_refcount);
4422 }
4423
4424 static void selinux_req_classify_flow(const struct request_sock *req,
4425 struct flowi *fl)
4426 {
4427 fl->flowi_secid = req->secid;
4428 }
4429
4430 static int selinux_tun_dev_alloc_security(void **security)
4431 {
4432 struct tun_security_struct *tunsec;
4433
4434 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4435 if (!tunsec)
4436 return -ENOMEM;
4437 tunsec->sid = current_sid();
4438
4439 *security = tunsec;
4440 return 0;
4441 }
4442
4443 static void selinux_tun_dev_free_security(void *security)
4444 {
4445 kfree(security);
4446 }
4447
4448 static int selinux_tun_dev_create(void)
4449 {
4450 u32 sid = current_sid();
4451
4452 /* we aren't taking into account the "sockcreate" SID since the socket
4453 * that is being created here is not a socket in the traditional sense,
4454 * instead it is a private sock, accessible only to the kernel, and
4455 * representing a wide range of network traffic spanning multiple
4456 * connections unlike traditional sockets - check the TUN driver to
4457 * get a better understanding of why this socket is special */
4458
4459 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4460 NULL);
4461 }
4462
4463 static int selinux_tun_dev_attach_queue(void *security)
4464 {
4465 struct tun_security_struct *tunsec = security;
4466
4467 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4468 TUN_SOCKET__ATTACH_QUEUE, NULL);
4469 }
4470
4471 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4472 {
4473 struct tun_security_struct *tunsec = security;
4474 struct sk_security_struct *sksec = sk->sk_security;
4475
4476 /* we don't currently perform any NetLabel based labeling here and it
4477 * isn't clear that we would want to do so anyway; while we could apply
4478 * labeling without the support of the TUN user the resulting labeled
4479 * traffic from the other end of the connection would almost certainly
4480 * cause confusion to the TUN user that had no idea network labeling
4481 * protocols were being used */
4482
4483 sksec->sid = tunsec->sid;
4484 sksec->sclass = SECCLASS_TUN_SOCKET;
4485
4486 return 0;
4487 }
4488
4489 static int selinux_tun_dev_open(void *security)
4490 {
4491 struct tun_security_struct *tunsec = security;
4492 u32 sid = current_sid();
4493 int err;
4494
4495 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4496 TUN_SOCKET__RELABELFROM, NULL);
4497 if (err)
4498 return err;
4499 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4500 TUN_SOCKET__RELABELTO, NULL);
4501 if (err)
4502 return err;
4503 tunsec->sid = sid;
4504
4505 return 0;
4506 }
4507
4508 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4509 {
4510 int err = 0;
4511 u32 perm;
4512 struct nlmsghdr *nlh;
4513 struct sk_security_struct *sksec = sk->sk_security;
4514
4515 if (skb->len < NLMSG_HDRLEN) {
4516 err = -EINVAL;
4517 goto out;
4518 }
4519 nlh = nlmsg_hdr(skb);
4520
4521 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4522 if (err) {
4523 if (err == -EINVAL) {
4524 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4525 "SELinux: unrecognized netlink message"
4526 " type=%hu for sclass=%hu\n",
4527 nlh->nlmsg_type, sksec->sclass);
4528 if (!selinux_enforcing || security_get_allow_unknown())
4529 err = 0;
4530 }
4531
4532 /* Ignore */
4533 if (err == -ENOENT)
4534 err = 0;
4535 goto out;
4536 }
4537
4538 err = sock_has_perm(current, sk, perm);
4539 out:
4540 return err;
4541 }
4542
4543 #ifdef CONFIG_NETFILTER
4544
4545 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4546 u16 family)
4547 {
4548 int err;
4549 char *addrp;
4550 u32 peer_sid;
4551 struct common_audit_data ad;
4552 struct lsm_network_audit net = {0,};
4553 u8 secmark_active;
4554 u8 netlbl_active;
4555 u8 peerlbl_active;
4556
4557 if (!selinux_policycap_netpeer)
4558 return NF_ACCEPT;
4559
4560 secmark_active = selinux_secmark_enabled();
4561 netlbl_active = netlbl_enabled();
4562 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4563 if (!secmark_active && !peerlbl_active)
4564 return NF_ACCEPT;
4565
4566 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4567 return NF_DROP;
4568
4569 ad.type = LSM_AUDIT_DATA_NET;
4570 ad.u.net = &net;
4571 ad.u.net->netif = ifindex;
4572 ad.u.net->family = family;
4573 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4574 return NF_DROP;
4575
4576 if (peerlbl_active) {
4577 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4578 peer_sid, &ad);
4579 if (err) {
4580 selinux_netlbl_err(skb, err, 1);
4581 return NF_DROP;
4582 }
4583 }
4584
4585 if (secmark_active)
4586 if (avc_has_perm(peer_sid, skb->secmark,
4587 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4588 return NF_DROP;
4589
4590 if (netlbl_active)
4591 /* we do this in the FORWARD path and not the POST_ROUTING
4592 * path because we want to make sure we apply the necessary
4593 * labeling before IPsec is applied so we can leverage AH
4594 * protection */
4595 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4596 return NF_DROP;
4597
4598 return NF_ACCEPT;
4599 }
4600
4601 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4602 struct sk_buff *skb,
4603 const struct net_device *in,
4604 const struct net_device *out,
4605 int (*okfn)(struct sk_buff *))
4606 {
4607 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4608 }
4609
4610 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4611 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4612 struct sk_buff *skb,
4613 const struct net_device *in,
4614 const struct net_device *out,
4615 int (*okfn)(struct sk_buff *))
4616 {
4617 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4618 }
4619 #endif /* IPV6 */
4620
4621 static unsigned int selinux_ip_output(struct sk_buff *skb,
4622 u16 family)
4623 {
4624 u32 sid;
4625
4626 if (!netlbl_enabled())
4627 return NF_ACCEPT;
4628
4629 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4630 * because we want to make sure we apply the necessary labeling
4631 * before IPsec is applied so we can leverage AH protection */
4632 if (skb->sk) {
4633 struct sk_security_struct *sksec = skb->sk->sk_security;
4634 sid = sksec->sid;
4635 } else
4636 sid = SECINITSID_KERNEL;
4637 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4638 return NF_DROP;
4639
4640 return NF_ACCEPT;
4641 }
4642
4643 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4644 struct sk_buff *skb,
4645 const struct net_device *in,
4646 const struct net_device *out,
4647 int (*okfn)(struct sk_buff *))
4648 {
4649 return selinux_ip_output(skb, PF_INET);
4650 }
4651
4652 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4653 int ifindex,
4654 u16 family)
4655 {
4656 struct sock *sk = skb->sk;
4657 struct sk_security_struct *sksec;
4658 struct common_audit_data ad;
4659 struct lsm_network_audit net = {0,};
4660 char *addrp;
4661 u8 proto;
4662
4663 if (sk == NULL)
4664 return NF_ACCEPT;
4665 sksec = sk->sk_security;
4666
4667 ad.type = LSM_AUDIT_DATA_NET;
4668 ad.u.net = &net;
4669 ad.u.net->netif = ifindex;
4670 ad.u.net->family = family;
4671 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4672 return NF_DROP;
4673
4674 if (selinux_secmark_enabled())
4675 if (avc_has_perm(sksec->sid, skb->secmark,
4676 SECCLASS_PACKET, PACKET__SEND, &ad))
4677 return NF_DROP_ERR(-ECONNREFUSED);
4678
4679 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4680 return NF_DROP_ERR(-ECONNREFUSED);
4681
4682 return NF_ACCEPT;
4683 }
4684
4685 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4686 u16 family)
4687 {
4688 u32 secmark_perm;
4689 u32 peer_sid;
4690 struct sock *sk;
4691 struct common_audit_data ad;
4692 struct lsm_network_audit net = {0,};
4693 char *addrp;
4694 u8 secmark_active;
4695 u8 peerlbl_active;
4696
4697 /* If any sort of compatibility mode is enabled then handoff processing
4698 * to the selinux_ip_postroute_compat() function to deal with the
4699 * special handling. We do this in an attempt to keep this function
4700 * as fast and as clean as possible. */
4701 if (!selinux_policycap_netpeer)
4702 return selinux_ip_postroute_compat(skb, ifindex, family);
4703 #ifdef CONFIG_XFRM
4704 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4705 * packet transformation so allow the packet to pass without any checks
4706 * since we'll have another chance to perform access control checks
4707 * when the packet is on it's final way out.
4708 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4709 * is NULL, in this case go ahead and apply access control. */
4710 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4711 return NF_ACCEPT;
4712 #endif
4713 secmark_active = selinux_secmark_enabled();
4714 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4715 if (!secmark_active && !peerlbl_active)
4716 return NF_ACCEPT;
4717
4718 /* if the packet is being forwarded then get the peer label from the
4719 * packet itself; otherwise check to see if it is from a local
4720 * application or the kernel, if from an application get the peer label
4721 * from the sending socket, otherwise use the kernel's sid */
4722 sk = skb->sk;
4723 if (sk == NULL) {
4724 if (skb->skb_iif) {
4725 secmark_perm = PACKET__FORWARD_OUT;
4726 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4727 return NF_DROP;
4728 } else {
4729 secmark_perm = PACKET__SEND;
4730 peer_sid = SECINITSID_KERNEL;
4731 }
4732 } else {
4733 struct sk_security_struct *sksec = sk->sk_security;
4734 peer_sid = sksec->sid;
4735 secmark_perm = PACKET__SEND;
4736 }
4737
4738 ad.type = LSM_AUDIT_DATA_NET;
4739 ad.u.net = &net;
4740 ad.u.net->netif = ifindex;
4741 ad.u.net->family = family;
4742 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4743 return NF_DROP;
4744
4745 if (secmark_active)
4746 if (avc_has_perm(peer_sid, skb->secmark,
4747 SECCLASS_PACKET, secmark_perm, &ad))
4748 return NF_DROP_ERR(-ECONNREFUSED);
4749
4750 if (peerlbl_active) {
4751 u32 if_sid;
4752 u32 node_sid;
4753
4754 if (sel_netif_sid(ifindex, &if_sid))
4755 return NF_DROP;
4756 if (avc_has_perm(peer_sid, if_sid,
4757 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4758 return NF_DROP_ERR(-ECONNREFUSED);
4759
4760 if (sel_netnode_sid(addrp, family, &node_sid))
4761 return NF_DROP;
4762 if (avc_has_perm(peer_sid, node_sid,
4763 SECCLASS_NODE, NODE__SENDTO, &ad))
4764 return NF_DROP_ERR(-ECONNREFUSED);
4765 }
4766
4767 return NF_ACCEPT;
4768 }
4769
4770 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4771 struct sk_buff *skb,
4772 const struct net_device *in,
4773 const struct net_device *out,
4774 int (*okfn)(struct sk_buff *))
4775 {
4776 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4777 }
4778
4779 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4780 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4781 struct sk_buff *skb,
4782 const struct net_device *in,
4783 const struct net_device *out,
4784 int (*okfn)(struct sk_buff *))
4785 {
4786 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4787 }
4788 #endif /* IPV6 */
4789
4790 #endif /* CONFIG_NETFILTER */
4791
4792 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4793 {
4794 int err;
4795
4796 err = cap_netlink_send(sk, skb);
4797 if (err)
4798 return err;
4799
4800 return selinux_nlmsg_perm(sk, skb);
4801 }
4802
4803 static int ipc_alloc_security(struct task_struct *task,
4804 struct kern_ipc_perm *perm,
4805 u16 sclass)
4806 {
4807 struct ipc_security_struct *isec;
4808 u32 sid;
4809
4810 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4811 if (!isec)
4812 return -ENOMEM;
4813
4814 sid = task_sid(task);
4815 isec->sclass = sclass;
4816 isec->sid = sid;
4817 perm->security = isec;
4818
4819 return 0;
4820 }
4821
4822 static void ipc_free_security(struct kern_ipc_perm *perm)
4823 {
4824 struct ipc_security_struct *isec = perm->security;
4825 perm->security = NULL;
4826 kfree(isec);
4827 }
4828
4829 static int msg_msg_alloc_security(struct msg_msg *msg)
4830 {
4831 struct msg_security_struct *msec;
4832
4833 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4834 if (!msec)
4835 return -ENOMEM;
4836
4837 msec->sid = SECINITSID_UNLABELED;
4838 msg->security = msec;
4839
4840 return 0;
4841 }
4842
4843 static void msg_msg_free_security(struct msg_msg *msg)
4844 {
4845 struct msg_security_struct *msec = msg->security;
4846
4847 msg->security = NULL;
4848 kfree(msec);
4849 }
4850
4851 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4852 u32 perms)
4853 {
4854 struct ipc_security_struct *isec;
4855 struct common_audit_data ad;
4856 u32 sid = current_sid();
4857
4858 isec = ipc_perms->security;
4859
4860 ad.type = LSM_AUDIT_DATA_IPC;
4861 ad.u.ipc_id = ipc_perms->key;
4862
4863 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4864 }
4865
4866 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4867 {
4868 return msg_msg_alloc_security(msg);
4869 }
4870
4871 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4872 {
4873 msg_msg_free_security(msg);
4874 }
4875
4876 /* message queue security operations */
4877 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4878 {
4879 struct ipc_security_struct *isec;
4880 struct common_audit_data ad;
4881 u32 sid = current_sid();
4882 int rc;
4883
4884 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4885 if (rc)
4886 return rc;
4887
4888 isec = msq->q_perm.security;
4889
4890 ad.type = LSM_AUDIT_DATA_IPC;
4891 ad.u.ipc_id = msq->q_perm.key;
4892
4893 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4894 MSGQ__CREATE, &ad);
4895 if (rc) {
4896 ipc_free_security(&msq->q_perm);
4897 return rc;
4898 }
4899 return 0;
4900 }
4901
4902 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4903 {
4904 ipc_free_security(&msq->q_perm);
4905 }
4906
4907 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4908 {
4909 struct ipc_security_struct *isec;
4910 struct common_audit_data ad;
4911 u32 sid = current_sid();
4912
4913 isec = msq->q_perm.security;
4914
4915 ad.type = LSM_AUDIT_DATA_IPC;
4916 ad.u.ipc_id = msq->q_perm.key;
4917
4918 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4919 MSGQ__ASSOCIATE, &ad);
4920 }
4921
4922 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4923 {
4924 int err;
4925 int perms;
4926
4927 switch (cmd) {
4928 case IPC_INFO:
4929 case MSG_INFO:
4930 /* No specific object, just general system-wide information. */
4931 return task_has_system(current, SYSTEM__IPC_INFO);
4932 case IPC_STAT:
4933 case MSG_STAT:
4934 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4935 break;
4936 case IPC_SET:
4937 perms = MSGQ__SETATTR;
4938 break;
4939 case IPC_RMID:
4940 perms = MSGQ__DESTROY;
4941 break;
4942 default:
4943 return 0;
4944 }
4945
4946 err = ipc_has_perm(&msq->q_perm, perms);
4947 return err;
4948 }
4949
4950 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4951 {
4952 struct ipc_security_struct *isec;
4953 struct msg_security_struct *msec;
4954 struct common_audit_data ad;
4955 u32 sid = current_sid();
4956 int rc;
4957
4958 isec = msq->q_perm.security;
4959 msec = msg->security;
4960
4961 /*
4962 * First time through, need to assign label to the message
4963 */
4964 if (msec->sid == SECINITSID_UNLABELED) {
4965 /*
4966 * Compute new sid based on current process and
4967 * message queue this message will be stored in
4968 */
4969 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4970 NULL, &msec->sid);
4971 if (rc)
4972 return rc;
4973 }
4974
4975 ad.type = LSM_AUDIT_DATA_IPC;
4976 ad.u.ipc_id = msq->q_perm.key;
4977
4978 /* Can this process write to the queue? */
4979 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4980 MSGQ__WRITE, &ad);
4981 if (!rc)
4982 /* Can this process send the message */
4983 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4984 MSG__SEND, &ad);
4985 if (!rc)
4986 /* Can the message be put in the queue? */
4987 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4988 MSGQ__ENQUEUE, &ad);
4989
4990 return rc;
4991 }
4992
4993 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4994 struct task_struct *target,
4995 long type, int mode)
4996 {
4997 struct ipc_security_struct *isec;
4998 struct msg_security_struct *msec;
4999 struct common_audit_data ad;
5000 u32 sid = task_sid(target);
5001 int rc;
5002
5003 isec = msq->q_perm.security;
5004 msec = msg->security;
5005
5006 ad.type = LSM_AUDIT_DATA_IPC;
5007 ad.u.ipc_id = msq->q_perm.key;
5008
5009 rc = avc_has_perm(sid, isec->sid,
5010 SECCLASS_MSGQ, MSGQ__READ, &ad);
5011 if (!rc)
5012 rc = avc_has_perm(sid, msec->sid,
5013 SECCLASS_MSG, MSG__RECEIVE, &ad);
5014 return rc;
5015 }
5016
5017 /* Shared Memory security operations */
5018 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5019 {
5020 struct ipc_security_struct *isec;
5021 struct common_audit_data ad;
5022 u32 sid = current_sid();
5023 int rc;
5024
5025 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5026 if (rc)
5027 return rc;
5028
5029 isec = shp->shm_perm.security;
5030
5031 ad.type = LSM_AUDIT_DATA_IPC;
5032 ad.u.ipc_id = shp->shm_perm.key;
5033
5034 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5035 SHM__CREATE, &ad);
5036 if (rc) {
5037 ipc_free_security(&shp->shm_perm);
5038 return rc;
5039 }
5040 return 0;
5041 }
5042
5043 static void selinux_shm_free_security(struct shmid_kernel *shp)
5044 {
5045 ipc_free_security(&shp->shm_perm);
5046 }
5047
5048 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5049 {
5050 struct ipc_security_struct *isec;
5051 struct common_audit_data ad;
5052 u32 sid = current_sid();
5053
5054 isec = shp->shm_perm.security;
5055
5056 ad.type = LSM_AUDIT_DATA_IPC;
5057 ad.u.ipc_id = shp->shm_perm.key;
5058
5059 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5060 SHM__ASSOCIATE, &ad);
5061 }
5062
5063 /* Note, at this point, shp is locked down */
5064 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5065 {
5066 int perms;
5067 int err;
5068
5069 switch (cmd) {
5070 case IPC_INFO:
5071 case SHM_INFO:
5072 /* No specific object, just general system-wide information. */
5073 return task_has_system(current, SYSTEM__IPC_INFO);
5074 case IPC_STAT:
5075 case SHM_STAT:
5076 perms = SHM__GETATTR | SHM__ASSOCIATE;
5077 break;
5078 case IPC_SET:
5079 perms = SHM__SETATTR;
5080 break;
5081 case SHM_LOCK:
5082 case SHM_UNLOCK:
5083 perms = SHM__LOCK;
5084 break;
5085 case IPC_RMID:
5086 perms = SHM__DESTROY;
5087 break;
5088 default:
5089 return 0;
5090 }
5091
5092 err = ipc_has_perm(&shp->shm_perm, perms);
5093 return err;
5094 }
5095
5096 static int selinux_shm_shmat(struct shmid_kernel *shp,
5097 char __user *shmaddr, int shmflg)
5098 {
5099 u32 perms;
5100
5101 if (shmflg & SHM_RDONLY)
5102 perms = SHM__READ;
5103 else
5104 perms = SHM__READ | SHM__WRITE;
5105
5106 return ipc_has_perm(&shp->shm_perm, perms);
5107 }
5108
5109 /* Semaphore security operations */
5110 static int selinux_sem_alloc_security(struct sem_array *sma)
5111 {
5112 struct ipc_security_struct *isec;
5113 struct common_audit_data ad;
5114 u32 sid = current_sid();
5115 int rc;
5116
5117 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5118 if (rc)
5119 return rc;
5120
5121 isec = sma->sem_perm.security;
5122
5123 ad.type = LSM_AUDIT_DATA_IPC;
5124 ad.u.ipc_id = sma->sem_perm.key;
5125
5126 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5127 SEM__CREATE, &ad);
5128 if (rc) {
5129 ipc_free_security(&sma->sem_perm);
5130 return rc;
5131 }
5132 return 0;
5133 }
5134
5135 static void selinux_sem_free_security(struct sem_array *sma)
5136 {
5137 ipc_free_security(&sma->sem_perm);
5138 }
5139
5140 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5141 {
5142 struct ipc_security_struct *isec;
5143 struct common_audit_data ad;
5144 u32 sid = current_sid();
5145
5146 isec = sma->sem_perm.security;
5147
5148 ad.type = LSM_AUDIT_DATA_IPC;
5149 ad.u.ipc_id = sma->sem_perm.key;
5150
5151 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5152 SEM__ASSOCIATE, &ad);
5153 }
5154
5155 /* Note, at this point, sma is locked down */
5156 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5157 {
5158 int err;
5159 u32 perms;
5160
5161 switch (cmd) {
5162 case IPC_INFO:
5163 case SEM_INFO:
5164 /* No specific object, just general system-wide information. */
5165 return task_has_system(current, SYSTEM__IPC_INFO);
5166 case GETPID:
5167 case GETNCNT:
5168 case GETZCNT:
5169 perms = SEM__GETATTR;
5170 break;
5171 case GETVAL:
5172 case GETALL:
5173 perms = SEM__READ;
5174 break;
5175 case SETVAL:
5176 case SETALL:
5177 perms = SEM__WRITE;
5178 break;
5179 case IPC_RMID:
5180 perms = SEM__DESTROY;
5181 break;
5182 case IPC_SET:
5183 perms = SEM__SETATTR;
5184 break;
5185 case IPC_STAT:
5186 case SEM_STAT:
5187 perms = SEM__GETATTR | SEM__ASSOCIATE;
5188 break;
5189 default:
5190 return 0;
5191 }
5192
5193 err = ipc_has_perm(&sma->sem_perm, perms);
5194 return err;
5195 }
5196
5197 static int selinux_sem_semop(struct sem_array *sma,
5198 struct sembuf *sops, unsigned nsops, int alter)
5199 {
5200 u32 perms;
5201
5202 if (alter)
5203 perms = SEM__READ | SEM__WRITE;
5204 else
5205 perms = SEM__READ;
5206
5207 return ipc_has_perm(&sma->sem_perm, perms);
5208 }
5209
5210 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5211 {
5212 u32 av = 0;
5213
5214 av = 0;
5215 if (flag & S_IRUGO)
5216 av |= IPC__UNIX_READ;
5217 if (flag & S_IWUGO)
5218 av |= IPC__UNIX_WRITE;
5219
5220 if (av == 0)
5221 return 0;
5222
5223 return ipc_has_perm(ipcp, av);
5224 }
5225
5226 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5227 {
5228 struct ipc_security_struct *isec = ipcp->security;
5229 *secid = isec->sid;
5230 }
5231
5232 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5233 {
5234 if (inode)
5235 inode_doinit_with_dentry(inode, dentry);
5236 }
5237
5238 static int selinux_getprocattr(struct task_struct *p,
5239 char *name, char **value)
5240 {
5241 const struct task_security_struct *__tsec;
5242 u32 sid;
5243 int error;
5244 unsigned len;
5245
5246 if (current != p) {
5247 error = current_has_perm(p, PROCESS__GETATTR);
5248 if (error)
5249 return error;
5250 }
5251
5252 rcu_read_lock();
5253 __tsec = __task_cred(p)->security;
5254
5255 if (!strcmp(name, "current"))
5256 sid = __tsec->sid;
5257 else if (!strcmp(name, "prev"))
5258 sid = __tsec->osid;
5259 else if (!strcmp(name, "exec"))
5260 sid = __tsec->exec_sid;
5261 else if (!strcmp(name, "fscreate"))
5262 sid = __tsec->create_sid;
5263 else if (!strcmp(name, "keycreate"))
5264 sid = __tsec->keycreate_sid;
5265 else if (!strcmp(name, "sockcreate"))
5266 sid = __tsec->sockcreate_sid;
5267 else
5268 goto invalid;
5269 rcu_read_unlock();
5270
5271 if (!sid)
5272 return 0;
5273
5274 error = security_sid_to_context(sid, value, &len);
5275 if (error)
5276 return error;
5277 return len;
5278
5279 invalid:
5280 rcu_read_unlock();
5281 return -EINVAL;
5282 }
5283
5284 static int selinux_setprocattr(struct task_struct *p,
5285 char *name, void *value, size_t size)
5286 {
5287 struct task_security_struct *tsec;
5288 struct task_struct *tracer;
5289 struct cred *new;
5290 u32 sid = 0, ptsid;
5291 int error;
5292 char *str = value;
5293
5294 if (current != p) {
5295 /* SELinux only allows a process to change its own
5296 security attributes. */
5297 return -EACCES;
5298 }
5299
5300 /*
5301 * Basic control over ability to set these attributes at all.
5302 * current == p, but we'll pass them separately in case the
5303 * above restriction is ever removed.
5304 */
5305 if (!strcmp(name, "exec"))
5306 error = current_has_perm(p, PROCESS__SETEXEC);
5307 else if (!strcmp(name, "fscreate"))
5308 error = current_has_perm(p, PROCESS__SETFSCREATE);
5309 else if (!strcmp(name, "keycreate"))
5310 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5311 else if (!strcmp(name, "sockcreate"))
5312 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5313 else if (!strcmp(name, "current"))
5314 error = current_has_perm(p, PROCESS__SETCURRENT);
5315 else
5316 error = -EINVAL;
5317 if (error)
5318 return error;
5319
5320 /* Obtain a SID for the context, if one was specified. */
5321 if (size && str[1] && str[1] != '\n') {
5322 if (str[size-1] == '\n') {
5323 str[size-1] = 0;
5324 size--;
5325 }
5326 error = security_context_to_sid(value, size, &sid);
5327 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5328 if (!capable(CAP_MAC_ADMIN)) {
5329 struct audit_buffer *ab;
5330 size_t audit_size;
5331
5332 /* We strip a nul only if it is at the end, otherwise the
5333 * context contains a nul and we should audit that */
5334 if (str[size - 1] == '\0')
5335 audit_size = size - 1;
5336 else
5337 audit_size = size;
5338 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5339 audit_log_format(ab, "op=fscreate invalid_context=");
5340 audit_log_n_untrustedstring(ab, value, audit_size);
5341 audit_log_end(ab);
5342
5343 return error;
5344 }
5345 error = security_context_to_sid_force(value, size,
5346 &sid);
5347 }
5348 if (error)
5349 return error;
5350 }
5351
5352 new = prepare_creds();
5353 if (!new)
5354 return -ENOMEM;
5355
5356 /* Permission checking based on the specified context is
5357 performed during the actual operation (execve,
5358 open/mkdir/...), when we know the full context of the
5359 operation. See selinux_bprm_set_creds for the execve
5360 checks and may_create for the file creation checks. The
5361 operation will then fail if the context is not permitted. */
5362 tsec = new->security;
5363 if (!strcmp(name, "exec")) {
5364 tsec->exec_sid = sid;
5365 } else if (!strcmp(name, "fscreate")) {
5366 tsec->create_sid = sid;
5367 } else if (!strcmp(name, "keycreate")) {
5368 error = may_create_key(sid, p);
5369 if (error)
5370 goto abort_change;
5371 tsec->keycreate_sid = sid;
5372 } else if (!strcmp(name, "sockcreate")) {
5373 tsec->sockcreate_sid = sid;
5374 } else if (!strcmp(name, "current")) {
5375 error = -EINVAL;
5376 if (sid == 0)
5377 goto abort_change;
5378
5379 /* Only allow single threaded processes to change context */
5380 error = -EPERM;
5381 if (!current_is_single_threaded()) {
5382 error = security_bounded_transition(tsec->sid, sid);
5383 if (error)
5384 goto abort_change;
5385 }
5386
5387 /* Check permissions for the transition. */
5388 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5389 PROCESS__DYNTRANSITION, NULL);
5390 if (error)
5391 goto abort_change;
5392
5393 /* Check for ptracing, and update the task SID if ok.
5394 Otherwise, leave SID unchanged and fail. */
5395 ptsid = 0;
5396 task_lock(p);
5397 tracer = ptrace_parent(p);
5398 if (tracer)
5399 ptsid = task_sid(tracer);
5400 task_unlock(p);
5401
5402 if (tracer) {
5403 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5404 PROCESS__PTRACE, NULL);
5405 if (error)
5406 goto abort_change;
5407 }
5408
5409 tsec->sid = sid;
5410 } else {
5411 error = -EINVAL;
5412 goto abort_change;
5413 }
5414
5415 commit_creds(new);
5416 return size;
5417
5418 abort_change:
5419 abort_creds(new);
5420 return error;
5421 }
5422
5423 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5424 {
5425 return security_sid_to_context(secid, secdata, seclen);
5426 }
5427
5428 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5429 {
5430 return security_context_to_sid(secdata, seclen, secid);
5431 }
5432
5433 static void selinux_release_secctx(char *secdata, u32 seclen)
5434 {
5435 kfree(secdata);
5436 }
5437
5438 /*
5439 * called with inode->i_mutex locked
5440 */
5441 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5442 {
5443 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5444 }
5445
5446 /*
5447 * called with inode->i_mutex locked
5448 */
5449 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5450 {
5451 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5452 }
5453
5454 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5455 {
5456 int len = 0;
5457 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5458 ctx, true);
5459 if (len < 0)
5460 return len;
5461 *ctxlen = len;
5462 return 0;
5463 }
5464 #ifdef CONFIG_KEYS
5465
5466 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5467 unsigned long flags)
5468 {
5469 const struct task_security_struct *tsec;
5470 struct key_security_struct *ksec;
5471
5472 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5473 if (!ksec)
5474 return -ENOMEM;
5475
5476 tsec = cred->security;
5477 if (tsec->keycreate_sid)
5478 ksec->sid = tsec->keycreate_sid;
5479 else
5480 ksec->sid = tsec->sid;
5481
5482 k->security = ksec;
5483 return 0;
5484 }
5485
5486 static void selinux_key_free(struct key *k)
5487 {
5488 struct key_security_struct *ksec = k->security;
5489
5490 k->security = NULL;
5491 kfree(ksec);
5492 }
5493
5494 static int selinux_key_permission(key_ref_t key_ref,
5495 const struct cred *cred,
5496 key_perm_t perm)
5497 {
5498 struct key *key;
5499 struct key_security_struct *ksec;
5500 u32 sid;
5501
5502 /* if no specific permissions are requested, we skip the
5503 permission check. No serious, additional covert channels
5504 appear to be created. */
5505 if (perm == 0)
5506 return 0;
5507
5508 sid = cred_sid(cred);
5509
5510 key = key_ref_to_ptr(key_ref);
5511 ksec = key->security;
5512
5513 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5514 }
5515
5516 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5517 {
5518 struct key_security_struct *ksec = key->security;
5519 char *context = NULL;
5520 unsigned len;
5521 int rc;
5522
5523 rc = security_sid_to_context(ksec->sid, &context, &len);
5524 if (!rc)
5525 rc = len;
5526 *_buffer = context;
5527 return rc;
5528 }
5529
5530 #endif
5531
5532 static struct security_operations selinux_ops = {
5533 .name = "selinux",
5534
5535 .ptrace_access_check = selinux_ptrace_access_check,
5536 .ptrace_traceme = selinux_ptrace_traceme,
5537 .capget = selinux_capget,
5538 .capset = selinux_capset,
5539 .capable = selinux_capable,
5540 .quotactl = selinux_quotactl,
5541 .quota_on = selinux_quota_on,
5542 .syslog = selinux_syslog,
5543 .vm_enough_memory = selinux_vm_enough_memory,
5544
5545 .netlink_send = selinux_netlink_send,
5546
5547 .bprm_set_creds = selinux_bprm_set_creds,
5548 .bprm_committing_creds = selinux_bprm_committing_creds,
5549 .bprm_committed_creds = selinux_bprm_committed_creds,
5550 .bprm_secureexec = selinux_bprm_secureexec,
5551
5552 .sb_alloc_security = selinux_sb_alloc_security,
5553 .sb_free_security = selinux_sb_free_security,
5554 .sb_copy_data = selinux_sb_copy_data,
5555 .sb_remount = selinux_sb_remount,
5556 .sb_kern_mount = selinux_sb_kern_mount,
5557 .sb_show_options = selinux_sb_show_options,
5558 .sb_statfs = selinux_sb_statfs,
5559 .sb_mount = selinux_mount,
5560 .sb_umount = selinux_umount,
5561 .sb_set_mnt_opts = selinux_set_mnt_opts,
5562 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5563 .sb_parse_opts_str = selinux_parse_opts_str,
5564
5565
5566 .inode_alloc_security = selinux_inode_alloc_security,
5567 .inode_free_security = selinux_inode_free_security,
5568 .inode_init_security = selinux_inode_init_security,
5569 .inode_create = selinux_inode_create,
5570 .inode_link = selinux_inode_link,
5571 .inode_unlink = selinux_inode_unlink,
5572 .inode_symlink = selinux_inode_symlink,
5573 .inode_mkdir = selinux_inode_mkdir,
5574 .inode_rmdir = selinux_inode_rmdir,
5575 .inode_mknod = selinux_inode_mknod,
5576 .inode_rename = selinux_inode_rename,
5577 .inode_readlink = selinux_inode_readlink,
5578 .inode_follow_link = selinux_inode_follow_link,
5579 .inode_permission = selinux_inode_permission,
5580 .inode_setattr = selinux_inode_setattr,
5581 .inode_getattr = selinux_inode_getattr,
5582 .inode_setxattr = selinux_inode_setxattr,
5583 .inode_post_setxattr = selinux_inode_post_setxattr,
5584 .inode_getxattr = selinux_inode_getxattr,
5585 .inode_listxattr = selinux_inode_listxattr,
5586 .inode_removexattr = selinux_inode_removexattr,
5587 .inode_getsecurity = selinux_inode_getsecurity,
5588 .inode_setsecurity = selinux_inode_setsecurity,
5589 .inode_listsecurity = selinux_inode_listsecurity,
5590 .inode_getsecid = selinux_inode_getsecid,
5591
5592 .file_permission = selinux_file_permission,
5593 .file_alloc_security = selinux_file_alloc_security,
5594 .file_free_security = selinux_file_free_security,
5595 .file_ioctl = selinux_file_ioctl,
5596 .mmap_file = selinux_mmap_file,
5597 .mmap_addr = selinux_mmap_addr,
5598 .file_mprotect = selinux_file_mprotect,
5599 .file_lock = selinux_file_lock,
5600 .file_fcntl = selinux_file_fcntl,
5601 .file_set_fowner = selinux_file_set_fowner,
5602 .file_send_sigiotask = selinux_file_send_sigiotask,
5603 .file_receive = selinux_file_receive,
5604
5605 .file_open = selinux_file_open,
5606
5607 .task_create = selinux_task_create,
5608 .cred_alloc_blank = selinux_cred_alloc_blank,
5609 .cred_free = selinux_cred_free,
5610 .cred_prepare = selinux_cred_prepare,
5611 .cred_transfer = selinux_cred_transfer,
5612 .kernel_act_as = selinux_kernel_act_as,
5613 .kernel_create_files_as = selinux_kernel_create_files_as,
5614 .kernel_module_request = selinux_kernel_module_request,
5615 .task_setpgid = selinux_task_setpgid,
5616 .task_getpgid = selinux_task_getpgid,
5617 .task_getsid = selinux_task_getsid,
5618 .task_getsecid = selinux_task_getsecid,
5619 .task_setnice = selinux_task_setnice,
5620 .task_setioprio = selinux_task_setioprio,
5621 .task_getioprio = selinux_task_getioprio,
5622 .task_setrlimit = selinux_task_setrlimit,
5623 .task_setscheduler = selinux_task_setscheduler,
5624 .task_getscheduler = selinux_task_getscheduler,
5625 .task_movememory = selinux_task_movememory,
5626 .task_kill = selinux_task_kill,
5627 .task_wait = selinux_task_wait,
5628 .task_to_inode = selinux_task_to_inode,
5629
5630 .ipc_permission = selinux_ipc_permission,
5631 .ipc_getsecid = selinux_ipc_getsecid,
5632
5633 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5634 .msg_msg_free_security = selinux_msg_msg_free_security,
5635
5636 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5637 .msg_queue_free_security = selinux_msg_queue_free_security,
5638 .msg_queue_associate = selinux_msg_queue_associate,
5639 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5640 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5641 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5642
5643 .shm_alloc_security = selinux_shm_alloc_security,
5644 .shm_free_security = selinux_shm_free_security,
5645 .shm_associate = selinux_shm_associate,
5646 .shm_shmctl = selinux_shm_shmctl,
5647 .shm_shmat = selinux_shm_shmat,
5648
5649 .sem_alloc_security = selinux_sem_alloc_security,
5650 .sem_free_security = selinux_sem_free_security,
5651 .sem_associate = selinux_sem_associate,
5652 .sem_semctl = selinux_sem_semctl,
5653 .sem_semop = selinux_sem_semop,
5654
5655 .d_instantiate = selinux_d_instantiate,
5656
5657 .getprocattr = selinux_getprocattr,
5658 .setprocattr = selinux_setprocattr,
5659
5660 .secid_to_secctx = selinux_secid_to_secctx,
5661 .secctx_to_secid = selinux_secctx_to_secid,
5662 .release_secctx = selinux_release_secctx,
5663 .inode_notifysecctx = selinux_inode_notifysecctx,
5664 .inode_setsecctx = selinux_inode_setsecctx,
5665 .inode_getsecctx = selinux_inode_getsecctx,
5666
5667 .unix_stream_connect = selinux_socket_unix_stream_connect,
5668 .unix_may_send = selinux_socket_unix_may_send,
5669
5670 .socket_create = selinux_socket_create,
5671 .socket_post_create = selinux_socket_post_create,
5672 .socket_bind = selinux_socket_bind,
5673 .socket_connect = selinux_socket_connect,
5674 .socket_listen = selinux_socket_listen,
5675 .socket_accept = selinux_socket_accept,
5676 .socket_sendmsg = selinux_socket_sendmsg,
5677 .socket_recvmsg = selinux_socket_recvmsg,
5678 .socket_getsockname = selinux_socket_getsockname,
5679 .socket_getpeername = selinux_socket_getpeername,
5680 .socket_getsockopt = selinux_socket_getsockopt,
5681 .socket_setsockopt = selinux_socket_setsockopt,
5682 .socket_shutdown = selinux_socket_shutdown,
5683 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5684 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5685 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5686 .sk_alloc_security = selinux_sk_alloc_security,
5687 .sk_free_security = selinux_sk_free_security,
5688 .sk_clone_security = selinux_sk_clone_security,
5689 .sk_getsecid = selinux_sk_getsecid,
5690 .sock_graft = selinux_sock_graft,
5691 .inet_conn_request = selinux_inet_conn_request,
5692 .inet_csk_clone = selinux_inet_csk_clone,
5693 .inet_conn_established = selinux_inet_conn_established,
5694 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5695 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5696 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5697 .req_classify_flow = selinux_req_classify_flow,
5698 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5699 .tun_dev_free_security = selinux_tun_dev_free_security,
5700 .tun_dev_create = selinux_tun_dev_create,
5701 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5702 .tun_dev_attach = selinux_tun_dev_attach,
5703 .tun_dev_open = selinux_tun_dev_open,
5704 .skb_owned_by = selinux_skb_owned_by,
5705
5706 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5707 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5708 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5709 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5710 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5711 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5712 .xfrm_state_free_security = selinux_xfrm_state_free,
5713 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5714 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5715 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5716 .xfrm_decode_session = selinux_xfrm_decode_session,
5717 #endif
5718
5719 #ifdef CONFIG_KEYS
5720 .key_alloc = selinux_key_alloc,
5721 .key_free = selinux_key_free,
5722 .key_permission = selinux_key_permission,
5723 .key_getsecurity = selinux_key_getsecurity,
5724 #endif
5725
5726 #ifdef CONFIG_AUDIT
5727 .audit_rule_init = selinux_audit_rule_init,
5728 .audit_rule_known = selinux_audit_rule_known,
5729 .audit_rule_match = selinux_audit_rule_match,
5730 .audit_rule_free = selinux_audit_rule_free,
5731 #endif
5732 };
5733
5734 static __init int selinux_init(void)
5735 {
5736 if (!security_module_enable(&selinux_ops)) {
5737 selinux_enabled = 0;
5738 return 0;
5739 }
5740
5741 if (!selinux_enabled) {
5742 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5743 return 0;
5744 }
5745
5746 printk(KERN_INFO "SELinux: Initializing.\n");
5747
5748 /* Set the security state for the initial task. */
5749 cred_init_security();
5750
5751 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5752
5753 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5754 sizeof(struct inode_security_struct),
5755 0, SLAB_PANIC, NULL);
5756 avc_init();
5757
5758 if (register_security(&selinux_ops))
5759 panic("SELinux: Unable to register with kernel.\n");
5760
5761 if (selinux_enforcing)
5762 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5763 else
5764 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5765
5766 return 0;
5767 }
5768
5769 static void delayed_superblock_init(struct super_block *sb, void *unused)
5770 {
5771 superblock_doinit(sb, NULL);
5772 }
5773
5774 void selinux_complete_init(void)
5775 {
5776 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5777
5778 /* Set up any superblocks initialized prior to the policy load. */
5779 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5780 iterate_supers(delayed_superblock_init, NULL);
5781 }
5782
5783 /* SELinux requires early initialization in order to label
5784 all processes and objects when they are created. */
5785 security_initcall(selinux_init);
5786
5787 #if defined(CONFIG_NETFILTER)
5788
5789 static struct nf_hook_ops selinux_ipv4_ops[] = {
5790 {
5791 .hook = selinux_ipv4_postroute,
5792 .owner = THIS_MODULE,
5793 .pf = NFPROTO_IPV4,
5794 .hooknum = NF_INET_POST_ROUTING,
5795 .priority = NF_IP_PRI_SELINUX_LAST,
5796 },
5797 {
5798 .hook = selinux_ipv4_forward,
5799 .owner = THIS_MODULE,
5800 .pf = NFPROTO_IPV4,
5801 .hooknum = NF_INET_FORWARD,
5802 .priority = NF_IP_PRI_SELINUX_FIRST,
5803 },
5804 {
5805 .hook = selinux_ipv4_output,
5806 .owner = THIS_MODULE,
5807 .pf = NFPROTO_IPV4,
5808 .hooknum = NF_INET_LOCAL_OUT,
5809 .priority = NF_IP_PRI_SELINUX_FIRST,
5810 }
5811 };
5812
5813 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5814
5815 static struct nf_hook_ops selinux_ipv6_ops[] = {
5816 {
5817 .hook = selinux_ipv6_postroute,
5818 .owner = THIS_MODULE,
5819 .pf = NFPROTO_IPV6,
5820 .hooknum = NF_INET_POST_ROUTING,
5821 .priority = NF_IP6_PRI_SELINUX_LAST,
5822 },
5823 {
5824 .hook = selinux_ipv6_forward,
5825 .owner = THIS_MODULE,
5826 .pf = NFPROTO_IPV6,
5827 .hooknum = NF_INET_FORWARD,
5828 .priority = NF_IP6_PRI_SELINUX_FIRST,
5829 }
5830 };
5831
5832 #endif /* IPV6 */
5833
5834 static int __init selinux_nf_ip_init(void)
5835 {
5836 int err = 0;
5837
5838 if (!selinux_enabled)
5839 goto out;
5840
5841 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5842
5843 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5844 if (err)
5845 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5846
5847 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5848 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5849 if (err)
5850 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5851 #endif /* IPV6 */
5852
5853 out:
5854 return err;
5855 }
5856
5857 __initcall(selinux_nf_ip_init);
5858
5859 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5860 static void selinux_nf_ip_exit(void)
5861 {
5862 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5863
5864 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5865 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5866 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5867 #endif /* IPV6 */
5868 }
5869 #endif
5870
5871 #else /* CONFIG_NETFILTER */
5872
5873 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5874 #define selinux_nf_ip_exit()
5875 #endif
5876
5877 #endif /* CONFIG_NETFILTER */
5878
5879 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5880 static int selinux_disabled;
5881
5882 int selinux_disable(void)
5883 {
5884 if (ss_initialized) {
5885 /* Not permitted after initial policy load. */
5886 return -EINVAL;
5887 }
5888
5889 if (selinux_disabled) {
5890 /* Only do this once. */
5891 return -EINVAL;
5892 }
5893
5894 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5895
5896 selinux_disabled = 1;
5897 selinux_enabled = 0;
5898
5899 reset_security_ops();
5900
5901 /* Try to destroy the avc node cache */
5902 avc_disable();
5903
5904 /* Unregister netfilter hooks. */
5905 selinux_nf_ip_exit();
5906
5907 /* Unregister selinuxfs. */
5908 exit_sel_fs();
5909
5910 return 0;
5911 }
5912 #endif
kernel source for telekom puls (alcatel/mediatek)